Parked E-Mail Domain
If you're managing a parked domain—one that isn't actively sending or receiving email—you should still secure it against abuse. Even if no mailboxes are in use, attackers can spoof your domain to send phishing or spam emails, putting your brand and reputation at risk.
DMARC
"v=DMARC1; p=reject; sp=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=s; aspf=s; fo=1;"
Breakdown of your DMARC record:
| Tag | Meaning |
|---|---|
v=DMARC1 |
This specifies the DMARC protocol version. Must be DMARC1. Required. |
p=reject |
This is the main policy for your domain: Reject any email that fails both SPF & DKIM checks and alignment. |
sp=reject |
This is the subdomain policy: Reject emails from subdomains that fail checks (e.g., mailer.sub.domain.com). |
rua=mailto:[email protected] |
This is the Aggregate report address: ISPs will send daily summary reports (in XML) here. |
ruf=mailto:[email protected] |
This is the Forensic report address: Receives per-message failure reports (if supported by ISP). |
adkim=s |
DKIM alignment: strict — The DKIM signature must exactly match the domain. No subdomains. |
aspf=s |
SPF alignment: strict — The envelope sender domain must also match exactly. |
fo=1 |
Failure reporting option:Send a forensic report if either SPF or DKIM fails (not just both). |
You don't have to include the sp= tag, but I want to be absolutely certain the DMARC policy applies to all subdomains—so I include it explicitly for clarity and enforcement.SPF
"v=SPF1 -all"
Breakdown of SPF record:
| Component | Explanation |
|---|---|
v=SPF1 |
Specifies the version of SPF being used. Required. |
-all |
Hard fail — this tells mail servers: “No mail should ever be sent from this domain.” Any email claiming to come from this domain should be rejected. |
SMTP_TLS
I like adding this value so that way you can get reports back if someone is trying to maliciously use your domain.
"v=TLSRPTv1; rua=mailto:[email protected]"
Breakdown of SMTP_TLS record:
| Component | Explanation |
|---|---|
v=TLSRPTv1 |
This specifies the version of TLS-RPT being used. Currently, only TLSRPTv1 is valid. |
rua=mailto:[email protected] |
This is the reporting address where email providers will send TLS failure reports (in JSON format) about email delivery issues with your domain, specifically related to STARTTLS and encryption failures. |
DKIM
For this parked domain, I will not be publishing any DKIM records. Since no email will be sent from this domain, DKIM is unnecessary and could give the false impression that legitimate mail is expected. Omitting DKIM entirely helps clearly signal that the domain is inactive for email use.
MX
For the MX record, we want to put a no value so we simply do a dot @ IN MX 0 .
- Use a null MX (
MX 0 .) if you want to be extra clear.
Optional You can simply not put any MX record with no value at all.
Securing parked domains is a critical yet often overlooked step in maintaining your organization’s email security posture. By implementing strict DNS records—like SPF -all, DMARC p=reject, and a null or missing MX—you make it explicitly clear that no email activity should occur from the domain, effectively shutting down spoofing and phishing opportunities. Even without mailboxes in use, these lightweight, proactive measures help protect your brand, reduce the attack surface, and ensure that your unused domains aren’t silently working against you.
#blog #email #domian #parkdomain