Locking down your unused domains

Here's a neat DMARC trick that I would have implemented sooner, had I read MAAWG's "Best Practices for Parked Domains" document a little closer back when it came out back in late 2015. But back then, I wasn't as DMARC savvy as I was now.

Anyway, the trick is this: If you have a domain that doesn't send mail, here's how you lock it down -- publish DNS records -- that tell the big ISPs that any mail pretending to be from that domain should be rejected, because it is illegitimate.

To do that, you'll want to configure two DNS records for your domain.

First, create an SPF record for your domain. This is a TXT record that goes at the top level of your domain. In it, paste this text: "v=spf1 -all" (without the quotes). A domain that sent email would use this record to specify what IP addresses are allowed to send mail on this domain's behalf. Since there are none, we're leaving it entry. The "dash all" directive at the end tells ISPs to treat mail from IP addresses not listed here as very suspicious. I call this SPF lockdown and I've talked about it before.

Second, create a DMARC record for your domain. This is a TXT record as well, called _dmarc and when you create it, paste the following text: "v=DMARC1; p=reject;" (without the quotes). This tells ISPs to reject unauthenticated mail purporting to be from your domain name. Most people, when setting up a comprehensive DMARC record, set up reporting addresses to receive failure reports, and include that information in the DMARC record. You don't have to do that, though. Save yourself the time and don't worry about that. (Want to see an example DMARC record? Here's mine.)

The DMARC record is the new part of the trick, and it's an important bit.

Together, with those two DNS records, you're pretty well covered to tell ISPs that this domain doesn't send any mail (or technically, that any forged mail purporting to be from this domain should be rejected -- and since you send no legitimate mail from this domain, any mail seen at all is going to be forged, and therefore, rejected).

Spammers have a long history of forging domain names in spam. This simple little process makes your unused domain name much less useful to spammers. If they spoof that domain name in spam, most of that mail will get rejected. Smart spammers might even check to see if a domain publishes a "reject" DMARC policy and avoid ones that do.
Post a Comment