Protecting your domain from sending unsolicited e-mails (spam)
If you own a domain, that you don’t use to send e-mail from, it would be wise to actually protect it from forgery. Just because you don’t use it, if you don’t protect it, a spammer could spoof your domain for their evil purpose. So, do the world a favour and protect all your domains that you don’t use to send e-mail with these simple DNS-records:
Hostname | Type | Value |
example.com | TXT | v=SPF1 -all |
*._domainkey.example.com | TXT | v=DKIM1; p= |
_dmarc.example.com | TXT | v=DMARC1; p=reject; |
SPF-record tells us that no servers are allowed to send mail on behalf of example.com-domain
DKIM-record catches all potential lookups of a DKIM-key, and will always fail because p= nothing
DMARC-record tell us that if the SPF or DKIM fails, then please just reject the mail.
So, with these records, every SPF-check will fail, cause no server is allowed to send on behalf of example.com and DKIM will always fail, because there is no value in p. Then because both fail, DMARC says: reject this mail.