How should DMARC, SPF, and DKIM records be configured for domains that do not send email?
Summary
What email marketers say10Marketer opinions
Email marketer from EasyDMARC advises deploying SPF `v=spf1 -all` and DMARC `p=reject` for non-sending domains, which minimizes the risk of domain spoofing and phishing attacks.
Email marketer from StackOverflow suggests setting DMARC policy to `p=reject` with appropriate SPF (`-all`) even for parked domains. This prevents unauthorized use of the domain for spam or phishing.
Email marketer from Superuser forum mentions the importance of setting up an SPF record `v=spf1 -all` even for domains that do not send email to prevent abuse and spamming.
Email marketer from SparkPost recommends using SPF `v=spf1 -all` and DMARC `p=reject` for parked domains to prevent email spoofing and protect your domain reputation.
Email marketer from Reddit suggests using SPF with `-all` and a DMARC policy of `reject` for unused domains to prevent spammers from using the domain.
Marketer from Email Geeks explains that if you never use the domains to send email, you don't need SPF and DKIM to pass DMARC.
Email marketer from Mailjet shares the best practice of using `v=spf1 -all` for domains not sending emails. They also recommend DMARC with a `p=reject` policy for maximum protection.
Email marketer from Postmark mentions that if a domain doesn't send email, its SPF record should contain `v=spf1 -all` to indicate no email should originate from that domain, preventing unauthorized email activity.
Email marketer from EmailSecuritySPF recommends setting an SPF record with `v=spf1 -all` for domains that do not send email, emphasizing this prevents unauthorized use of your domain name.
Email marketer from MXToolbox recommends implementing SPF and DMARC even for domains that don't send emails. Set SPF to `-all` and DMARC to `p=reject` to prevent spoofing.
What the experts say3Expert opinions
Expert from Email Geeks shares that he publishes a `v=spf1 -all` record for domains that don't send email, along with a DMARC p=reject policy.
Expert from Word to the Wise recommends setting up a DMARC record even for domains that don't send mail, to prevent them from being used in phishing attacks. He suggests a reject policy (`p=reject`).
Expert from Email Geeks recommends to just delete the DKIM key and move on when removing a key. Explicitly revoking a key is useful only in rare situations, such as if it was misused or compromised.
What the documentation says5Technical articles
Documentation from DMARC.org advises setting a DMARC policy of `p=reject` for domains that do not send email. This instructs receiving mail servers to reject any messages claiming to be from the domain that fail DMARC checks.
Documentation from Microsoft mentions that DKIM is not strictly required for domains that do not send email, but it can be implemented with a wildcard record to explicitly invalidate all keys if desired.
Documentation from Cloudflare indicates that using `v=spf1 -all` in the SPF record clearly signals that no email should originate from the domain, enhancing security. It emphasizes the importance of correct syntax to prevent deliverability issues.
Documentation from Google Workspace Admin Help explains that for domains that do not send email, the SPF record should be `v=spf1 -all`. This indicates that no servers are authorized to send mail from the domain.
Documentation from RFC7208 specifies that the 'all' mechanism in SPF records should be used with a qualifier such as '-all' to indicate a hard fail, meaning no email should originate from the domain.