If you are like me, you probably have a couple of domain names. Some in use, some cool to have, some for other people. Recently I realized that spammers can use domains that are not properly configured to use email and so I looked in to how to protect these domains while parked (or only in use for a simple site). I came across this elaborate document from the M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group), I tried summarizing it below. Replace the bold example.com in the examples below by your own parked domain.
SPF (RFC7208):
The SPF record is used to determine from what servers email is allowed to originate. So the receiving server will check if an email originated from the servers mentioned in the SPF record and if the check fails your email is more likely to be marked as spam. If you don’t use email for a domain you can set the SPF record to the following:
Domain: | Type: | Content: |
example.com | TXT | v=spf1 -all |
*.example.com | TXT | v=spf1 -all |
This indicates that the domain (first record) nor any of it’s subdomains (second record) is sending out any email.
DKIM (RFC5585):
DKIM is used to check if email originated from the server it says it originated from: By signing emails with the private key of the server, a receiving server can check if it is signed properly by checking it against the public key in the corresponding DNS record. If the check fails your email is more likely to be marked as spam. If you don’t use email for a domain you can set the DKIM record to the following:
Domain: | Type: | Content |
*._domainkey.example.com | TXT | v=DKIM1; p= |
*.example.com | TXT | v=DKIM1; p= |
This indicates that all DKIM keys for this domain have expired and email is treated as if it is unsigned. Therefore it’s even more likely to be marked as spam.
MX (RFC7505):
The MX records are used to point any incoming email to the right server. If you don’t use email for a specific domain you can set the MX records to the following:
Domain: | Type: | Priority: | Content: |
example.com | MX | 0 | . |
*.example.com | MX | 0 | . |
This indicates that the domain (first record) nor any of it’s subdomains (second record) is receiving any email.
DMARC (RFC7489):
With DMARC you can monitor your domain and tell other providers what needs to be done with email that fails SPF or DKIM checks. Email providers send aggregated reports with summaries about the email they received from your domain and what action was taken according to the policy you set (RUA reports). They can even send you the content of messages with failed checks (RUF reports) (think of privacy concerns if you enable this on a domain that is used for email and by multiple people). You want to set this policy to reject all email that fails any check since in this example you don’t send any email, therefore everything sent is malicious.
If you don’t use email for a domain you can set the record to:
Domain: | Type: | Content: |
_dmarc.example.com | TXT | v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:someone@otherdomain.nl; ruf=mailto:someone@otherdomain.nl; aspf=s; adkim=s; fo=1; |
You will also need a record for the otherdomain.nl in order to receive the RUA en RUF reports. I use my administrative domain for this task and therefore have one of these records for al parked domains. You can’t use a Gmail adress for example, because you are not able set DNS for Gmail.com.
Domain: | Type: | Content: |
example.com._report._dmarc.otherdomain.nl | TXT | v=DMARC1; |
Monitoring with a DMARC service or hosting it yourself:
The RUA en RUF emails are not formatted for humans to easily read them. If you are tired of manually checking them you can create a solution of your own with some scripts etc or use services to make this easy for you. You can even host certain services yourself, like parsedmarc or use a commercial service like DMARCIAN (they let you add as many parked domains as you want for free).
That’s it! Spammers are now less likely to abuse your domain!
What about requesting certificates?
CAA records mange those! I will make a dedicated blog post about that.