In some cases, you may want to use a domain name only to redirect to your website or for brand protection. If you're not using that domain name for e-mail, then you'll want to make sure all spamfilters know nobody should ever send email from it. This prevents spammers from abusing your domain to send fraudulent messages and e-mail spoofing.
By making a few DNS adjustments, you can clearly announce to the rest of the internet: “This domain does not send email.”
Publish an SPF-record that blocks all mail
With a TXT-record on your domain name with the value "
v=spf1 -all" you clearly indicate that no mailserver may send mails from your domain name.
Publish an NULL MX-record
An NULL MX record makes it explicit that your domain does
not accept incoming mail either. Typically a spamfilter will think it's suspicious if a sender address can't receive a response. For this add an MX-record with as value just a dot "." and MX-pref set to 0:
Make sure DKIM will never be valid
Add a wildcard TXT-record on
*._domainkey with as value "
v=DKIM1; p=" to ensure that DKIM-checks will always fail
Publish a strict DMARC policy
On
_dmarc add a TXT-record with the contents "
v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s"
- p=reject: reject all unauthenticated messages.
- sp=reject: also apply this rule to any subdomains.
- adkim=s and aspf=s: strict alignment checks.
With these settings, any attempt to spoof your domain in email should be
rejected by receiving servers.
