How to protect domains that don't send emails

Even domain names that you don't actively use for emails are at risk of misuse and should be protected.

Spammers don't just send emails from domains that are set up to send emails. They also send emails from domains that aren't set up to send emails.

If you, like most business owners, have a domain name that you use for your website, and a bunch of other domains for typos or to prevent domain squatting or for future product names, that you don't actually send emails from, you might be at risk of spammers sending emails from those domain names without your permission.

Usually, when we set up DMARC we set it up to say "emails from this domain are allowed to come from these servers". But if you have a domain that doesn't send emails, you can set up a DMARC policy that says "emails from this domain are not allowed to come from any server". This way, if a spammer tries to send an email from that domain, it will fail the DMARC check and be rejected.

And since we're not using that domain to send emails, we don't have to worry about legitimate emails being rejected and can be as strict as possible.

SPF

Add a TXT record to your DNS provider with the following value and you're good to go:

The -all part means that no server is allowed to send emails from this domain. In SPF terms it means fail all emails that aren't listed in the SPF record - and since there are no servers listed in the SPF record, it means fail all emails.

DKIM

Since DKIM is used to authorize emails from specific servers, and we're not allowing any servers to send emails from this domain, we should set up an empty DKIM record. This way, if a spammer tries to send an email from that domain, it will fail the DKIM check and be rejected.

Add a TXT record to your DNS provider with the following value and you're good to go:

DMARC

Our DMARC policy for domains that never send emails should be as strict as possible. Effectively reject any email that fail the DMARC policy.

Add a TXT record to your DNS provider with the following value and you are good to go: