This article contains information on securing parked or inactive domains using SPF, DKIM, DMARC, and MX records to prevent misuse, ensure proper email authentication, and protect against vulnerabilities.
Most companies have a set of active domains which they use to send mail. However, most of the time there are also parked (or inactive) domains. These are domains that have been registered by a customer, but which are not used to send emails or host a website. These can be ‘typo domains’ or domains that have been registered for future use.
As these domains are not active it is easy to protect them. However, it is important to do so and not skip these domains in your DMARC implementation project. This could otherwise lead to the situation where you’ve protected your main domain with a 100% p=reject policy and you may still be vulnerable on your parked domains.
We advise setting up a set of DNS records for these parked domains to indicate to ISPs that the domain is inactive and should be treated this way by the ISPs.
SPF
Indicate that the domain does not send any mail by setting up an empty SPF record with a hard fail policy:
sampleparkeddomain.com TXT "v=spf1 -all"
DKIM
A DKIM record is published on a subdomain by combining a ‘selector’ with the domain. The official policy to revoke previously active selectors is to publish that selector with an empty ‘p’ value. This same setup can be published on a ‘wildcard’ domain to indicate any selector is invalid (*):
*._domainkey.sampleparkeddomain.com TXT "v=DKIM1; p="
DMARC
If the domain is inactive you’d still want to receive any potential activity on that domain. Therefore we recommend publishing a DMARC policy on that domain. If an organization has a lot of parked domains we advise publishing a general ‘parked domain’ DMARC policy on a single domain and to refer to that policy by using a CNAME setup. In this situation, you can easily adjust the policy for all your parked domains by adjusting a single DNS. In this situation, it is required to correctly set up external domain verification on your DMARC report receiving domain as described in the External Domain Verification article.
The following DNS record should be added to all your parked domains:
_dmarc.sampleparkeddomain.com CNAME _dmarc.parked.example.net.
The records below should be added to a single domain which is referred to in the parked domain CNAME record as seen above (example.net). These records point to two dedicated mailboxes on your local domain. You can either configure these mailboxes to automatically forward the reports to DMARC Analyzer, or you can add your custom DMARC Analyzer RUA and RUF addresses in the record below. In this situation, the second record is not needed as we have covered this.
_dmarc.parked.example.net TXT "v=DMARC1; p=reject; rua=mailto:rua@example.net; ruf=mailto:ruf@example.net" *._report._dmarc.example.net TXT "v=DMARC1"
MX
Some mail receivers verify that a mail can be answered when they receive a mail. If a domain does not receive mail it is recommended to publish a ‘NULL’ MX record (*). However, this approach is only recommended if a domain *does* publish an A or AAAA record but is not set up to receive mail.
sampleparkeddomain.com MX 0 .
(*) If you use subdomains there are some exceptions. We refer to the Best Common Practices document as published by the M3AAWG on this URL.
Comments
Please sign in to leave a comment.