Ziyn 
Back to blog
3 min read

How to protect domains that don't send emails

dkim spf dmarc dns email record spoof
Table of Contents
ℹ️

Criminals can use unprotected domains for email spoofing and phishing, making it easier to commit fraud and damage trust in your organisation.

Read this guide if you want to protect domains which do not send email from spoofing attacks.

This guide is valid for domains which:

  • never send email like defensively registered domains or legacy domains
  • previously sent email but do not any more, such as gsi-family domains that are now cloud-based

You only need access to your domain name system (DNS) records to make the changes in this guide.

To protect your domain you need to create:

  • an SPF record that says you do not have any sending servers
  • a DMARC record to reject any email from your domain
  • an empty DKIM key record
  • a null MX record

Make these changes to your domain name system (DNS) records.

Create an SPF record

type: TXT

host or name: @ (if required)

value: v=spf1 -all

If you check your record using nslookup or dig you should get a result like this:

example.com. TXT “v=spf1 -all”

@ TXT “v=spf1 -all”

subdomain.example.com. TXT “v=spf1 -all”

Create a DMARC record

type: TXT

host or name: _dmarc

value: v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;rua=mailto:dmarc@example.com

Replace dmarc@example.com with the email address that you want reports to be sent to.

If you check your record using nslookup or dig you should get a result like this:

_dmarc TXT “v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;rua=mailto:dmarc@example.com”

Create an empty DKIM record

type: TXT

host or name: *._domainkey

value: v=DKIM1; p=

As this is a wildcard record you cannot check it other than to look in your DNS host admin panel.

Revoke all existing DKIM selectors in both TXT and CNAME records.

This record will make email servers more likely to reject email from your domain.

Create a null MX record

type: MX

host or name: leave this field empty

priority: 0

value: .

ℹ️

Note that some DNS providers do not support a null MX record, so do not worry if you cannot create this record.

Protect subdomains that send emails

You may have a domain that does not send email and a subdomain within that does send email. For example, example.com does not send email but subdomain.example.com does send email.

If you want to protect subdomains that send email, you must:

  • use sp=none instead of sp=reject
  • include SPF and DMARC records and other anti-spoofing configurations on all subdomains
An overview of DKIM records