Can I set DMARC to reject if my domain doesn't send email?
Summary
What email marketers say7Marketer opinions
Email marketer from Stackoverflow explains that using a 'reject' policy is acceptable in some scenarios. They suggest setting up reporting to monitor for any potential issues after implementing the 'reject' policy in case services start sending emails.
Email marketer from LinkedIn shares that if your domain isn't used for sending emails, setting DMARC to 'reject' can provide an extra layer of security. This helps prevent spammers from using your domain in phishing campaigns.
Email marketer from EmailGeek suggests setting DMARC to 'reject' on domains that are not intended to send email. This is a proactive measure to prevent unauthorized use of the domain. This should only be used if you know email should not be sent.
Email marketer from Email Security Forums explains that using DMARC 'reject' is recommended if the domain isn't used for any active email sending. This protects against domain spoofing and phishing attacks.
Email marketer from MXToolbox suggests using a DMARC policy of 'reject' or 'quarantine' to instruct mail servers on how to handle messages that fail authentication checks. Setting to reject is ok but you need to make sure no email is being sent first.
Email marketer from Email Geeks advises checking for any contact forms, CRM integration, or web server sending technical reports to admins before setting DMARC to reject.
Email marketer from Reddit user u/example123 shares that they set DMARC to 'reject' for a client's domain that was only used for receiving email through a contact form, not for outbound marketing. They suggest carefully verifying that no legitimate outbound email is being sent before implementing the 'reject' policy.
What the experts say5Expert opinions
Expert from Word to the Wise, Laura Atkins, explains that setting a DMARC record to 'reject' for a domain that doesn't send email is a perfectly reasonable approach. It prevents spoofing and unauthorized use of the domain in email From: addresses. It is essential to be absolutely sure no legitimate email originates from the domain.
Expert from Email Geeks explains that as long as no mail is sent with that domain or any subdomain or superdomain of it in the From: address, setting DMARC to reject is acceptable.
Expert from Email Geeks shares that it's not worth the expense, pain, and delay to do a proper DMARC deployment in this sort of case. He advises getting written agreement from senior management that you're intentionally breaking mail using this domain, per their explicit instructions, before implementing p=reject from day one.
Expert from Spam Resource says that if you aren't sending email from a particular domain, DMARC reject is your friend. It protects your domain from phishing and spoofing.
Expert from Email Geeks suggests making sure you talk to the sysadmins of the machine, if it's internal, or the hosting company if it's not as if there's something likely break they're the ones who'll know about it.
What the documentation says4Technical articles
Documentation from Google explains that setting the DMARC policy to 'reject' instructs recipient mail servers to reject messages that fail DMARC checks. This is the strictest policy and prevents unauthorized use of your domain. If no email is supposed to originate from the domain this is safe to use.
Documentation from Cloudflare explains the reject policy to make it clear to receiving servers that if a message fails authentication checks, it should be rejected to improve security of your domain.
Documentation from Microsoft explains that a DMARC record with a 'reject' policy is recommended for domains not used for sending email. This helps protect the domain's reputation and prevents phishing attacks.
Documentation from DMARC.org states that setting DMARC to 'reject' on domains that do not send email is a valid use case. This prevents malicious actors from spoofing the domain in email 'From' addresses. It's especially useful for parked domains or domains only used for web hosting.