A domain with no email server is still susceptible to spoofing attacks.

Unfortunately, Domain Name System (DNS) hosting providers do not by default prevent domains from being spoofed. Which is preventable with minor changes to the DNS records. There is an easy and simple solution to this issue not well known by many webmasters.

If you have an email server, it is important to have appropriately set DNS records to receive email. This guide assumes there is no active email server. Mailbox names such as [email protected] or [email protected] should be accessible if an email server is active - see RFC 2142.

This guide is aimed for domains which:

  • Never send email.
  • Previously sent or received email but do not any more.

What you’ll need to do:

  • Create a Sender Policy Framework (SPF) record that indicates you do not have any servers for sending mail.
  • Create an empty DomainKeys Identified Mail (DKIM) record.
  • Create a Domain-based Message Authentication Reporting and Conformance (DMARC) record that rejects any email from your domain.

Replace all mentions of the keyword domain in this article with your domain name.

DNS Configuration

Create a SPF record

type: TXT
name: @ (if this value is required)
content: v=spf1 -all

To verify these changes were made after your DNS propagates; if on Windows Command Line, insert nslookup -type=txt domain. If on Mac OS Terminal, insert dig txt domain.

Create an empty DKIM record

Revoke all pre-existing DKIM selectors in both TXT and CNAME records.

type: TXT
name: *._domainkey
value: v=DKIM1; p=

To verify these changes were made after your DNS propagates; if on Windows Command Line, insert:

>nslookup
>set q=txt
>selector.domainkey.domain

If on Mac OS Terminal, insert dig txt selector._domainkey.domain.

Create a DMARC record

type TXT
name: _dmarc
value: v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;

To verify these changes were made after your DNS propagates; if on Windows Command Line, insert nslookup -type=txt _dmarc.domain. If on Mac OS Terminal, insert dig txt _dmarc.domain.