How can I implement a DMARC reject policy for non-existent domains to prevent spam?
Summary
What email marketers say12Marketer opinions
Marketer from Email Geeks explains that even though the domain has a ServerHold, meaning the NS will not resolve and you can't add any records, email providers should not accept the message since it will not have a working MX or A record.
Email marketer from Multiplier explains that you should set the subdomain policy to reject, but only after carefully implementing SPF and DKIM. Further, that continuous monitoring is essential to ensure legitimate email is correctly identified.
Email marketer from EasyDMARC explains that to enforce a DMARC reject policy, you must set 'p=reject' in your DMARC DNS record, ensuring that unauthorized emails are rejected by recipient mail servers. It is also recommended to monitor your DMARC reports regularly.
Marketer from Email Geeks explains that there is an option to add an automatic reject, but needs to be added by the TLD operator; in this case, .fr would need to add an `np` tag which specifies the policies for non-existent domains.
Email marketer from Valimail answers that to prevent spam from non-existent domains using DMARC, ensure your DMARC record includes 'p=reject' for the main domain and 'sp=reject' for subdomains. Also that it's important to monitor DMARC reports to avoid blocking legitimate emails.
Email marketer from StackOverflow answers that a DMARC record with `sp=reject` instructs email receivers to reject messages from subdomains that don't have their own DMARC records, helping to prevent unauthorized use of your domain. It is important to thoroughly test your configuration.
Marketer from Email Geeks shares that because it's not sure who actually respects np tags right now, we might need to wait for DMARCbis.
Email marketer from Postmark explains implementing a DMARC reject policy involves publishing a DMARC record with the `p=reject` tag and the `sp=reject` tag. Also, continuously analyzing DMARC reports allows for refinements and helps minimize the risk of blocking legitimate emails.
Email marketer from Reddit shares their experience to say that after setting 'p=reject' and 'sp=reject', they saw a significant decrease in spam using their domain. However, it's crucial to monitor DMARC reports to prevent blocking legitimate emails due to misconfigurations.
Email marketer from DMARC Analyzer explains that the "sp" tag in DMARC allows you to set a specific policy for subdomains. Setting 'sp=reject' tells receiving mail servers to reject emails appearing to come from non-existent subdomains.
Email marketer from Mailhardener details that to protect subdomains, especially non-existent ones, set the 'sp' tag to 'reject' in your DMARC record. This instructs receiving servers to reject emails claiming to be from these subdomains if they fail DMARC checks.
Email marketer from EmailSecurityForum answers that to enforce a DMARC reject policy, you need to publish a TXT record in your DNS with `v=DMARC1; p=reject; sp=reject;`, and ensure SPF and DKIM are properly configured. Monitor DMARC reports to adjust the configuration as needed.
What the experts say5Expert opinions
Expert from Email Geeks shares that best guess SPF was a good idea at one point, not it needs to go away.
Expert from Word to the Wise explains that when implementing DMARC, particularly the reject policy, it's essential to ensure SPF and DKIM are correctly configured to avoid blocking legitimate emails. Monitoring DMARC reports is also crucial for identifying and addressing any authentication issues before fully enforcing the reject policy.
Expert from Spamresource answers that one aspect of DMARC is that you can create a policy with the "p=" tag. The options are none, quarantine, or reject. The reject tag tells email providers to not accept unauthenticated emails as well as put them in the spam folder.
Expert from Word to the Wise answers that it's essential to monitor DMARC reports diligently, as these reports provide insights into email authentication failures and potential spoofing attempts, helping you refine your DMARC policy and ensure legitimate emails are not inadvertently blocked.
Expert from Email Geeks responds that it's in final call and most of the work was done. Further that the protocol questions are answered and it's on the AD's desk for review.
What the documentation says5Technical articles
Documentation from RFC Editor specifies that a DMARC policy can include instructions for handling messages from non-existent subdomains, using the "sp" tag with a value of "reject" to indicate that such messages should be rejected.
Documentation from Google Workspace Admin Help details that subdomain policy is configured using the `sp` tag, and specifies that setting `sp=reject` tells receiving mail servers to reject messages from subdomains that don't align with your DMARC policies, thereby protecting those subdomains from spoofing.
Documentation from AuthSMTP details that a complete DMARC record should include version, policy, and reporting address, and recommends setting the subdomain policy (sp) to 'reject' to prevent abuse from non-existent subdomains.
Documentation from DMARC.org FAQ explains the 'sp' tag allows for defining a specific DMARC policy for all subdomains. It says that setting 'sp=reject' instructs recipient mail servers to reject any messages from subdomains that fail DMARC authentication, assisting in protecting against unauthorized use of your domain.
Documentation from Proofpoint details that implementing a DMARC reject policy, including for non-existent subdomains, significantly reduces the risk of domain spoofing by instructing recipient servers to refuse unauthenticated emails. They suggest carefully monitoring DMARC reports to identify legitimate email sources before fully implementing 'p=reject' or 'sp=reject'.