How should DMARC, SPF, and DKIM records be configured for domains that do not send email?

Summary

For domains that do not send email, the strong consensus is to implement SPF and DMARC to prevent domain spoofing, phishing, and unauthorized use. The recommended SPF record is `v=spf1 -all`, which explicitly states that no email should originate from the domain. The recommended DMARC policy is `p=reject`, which instructs receiving mail servers to reject any messages claiming to be from the domain that fail DMARC checks. While DKIM is not strictly required, experts recommend deleting existing DKIM keys and avoiding publishing new ones. Accurate syntax for SPF and DMARC records is critical for preventing deliverability issues.

Key findings

  • SPF Record: Set the SPF record to `v=spf1 -all` to definitively indicate that the domain does not send email.
  • DMARC Policy: Configure the DMARC policy to `p=reject` to instruct receiving servers to reject unauthorized emails.
  • DKIM Configuration: DKIM is optional; remove any existing DKIM keys and avoid publishing new ones for non-sending domains.
  • Spoofing Prevention: Implementing SPF and DMARC prevents domain spoofing, phishing attacks, and unauthorized email activity.
  • Record Syntax: Accurate syntax in SPF and DMARC records is essential to prevent deliverability issues.

Key considerations

  • Future Use: Consider whether the domain might send email in the future and plan for proper authentication if needed.
  • DKIM Revocation: Explicit DKIM key revocation is rarely necessary but should be considered if a key was compromised and misused.
  • Policy Enforcement: Ensure that the DMARC policy is correctly implemented to effectively reject spoofed emails.
  • Monitoring: Consider starting with a less restrictive DMARC policy (e.g., `p=quarantine` or `p=none`) to monitor and assess the impact before fully enforcing `p=reject`.

What email marketers say
10Marketer opinions

For domains that do not send email, the consensus is to implement SPF and DMARC to prevent domain spoofing and unauthorized use. The recommended SPF record is `v=spf1 -all`, indicating that no email should originate from the domain. The recommended DMARC policy is `p=reject`, instructing receiving mail servers to reject any messages claiming to be from the domain that fail DMARC checks. While DKIM isn't strictly necessary, it can be implemented.

Key opinions

  • SPF Record: Set SPF record to `v=spf1 -all` to indicate no email should ever originate from the domain.
  • DMARC Policy: Set DMARC policy to `p=reject` to instruct receiving servers to reject unauthorized emails.
  • DKIM: DKIM is optional but can be implemented; otherwise, ensure no DKIM keys are published.
  • Spoofing Prevention: Implementing these measures prevents domain spoofing, phishing attacks, and unauthorized email activity.

Key considerations

  • Future Use: Consider if the domain will ever send email in the future. If so, proper authentication should be configured then.
  • DMARC Reporting: While `p=reject` is the goal, consider starting with `p=quarantine` or `p=none` to monitor results before fully enforcing the reject policy.
  • Syntax Accuracy: Ensure accurate syntax for SPF and DMARC records to avoid deliverability issues.
Marketer view

Email marketer from EasyDMARC advises deploying SPF `v=spf1 -all` and DMARC `p=reject` for non-sending domains, which minimizes the risk of domain spoofing and phishing attacks.

April 2022 - EasyDMARC
Marketer view

Email marketer from StackOverflow suggests setting DMARC policy to `p=reject` with appropriate SPF (`-all`) even for parked domains. This prevents unauthorized use of the domain for spam or phishing.

May 2024 - StackOverflow
Marketer view

Email marketer from Superuser forum mentions the importance of setting up an SPF record `v=spf1 -all` even for domains that do not send email to prevent abuse and spamming.

January 2025 - Superuser
Marketer view

Email marketer from SparkPost recommends using SPF `v=spf1 -all` and DMARC `p=reject` for parked domains to prevent email spoofing and protect your domain reputation.

December 2021 - SparkPost
Marketer view

Email marketer from Reddit suggests using SPF with `-all` and a DMARC policy of `reject` for unused domains to prevent spammers from using the domain.

March 2025 - Reddit
Marketer view

Marketer from Email Geeks explains that if you never use the domains to send email, you don't need SPF and DKIM to pass DMARC.

June 2024 - Email Geeks
Marketer view

Email marketer from Mailjet shares the best practice of using `v=spf1 -all` for domains not sending emails. They also recommend DMARC with a `p=reject` policy for maximum protection.

May 2022 - Mailjet
Marketer view

Email marketer from Postmark mentions that if a domain doesn't send email, its SPF record should contain `v=spf1 -all` to indicate no email should originate from that domain, preventing unauthorized email activity.

December 2022 - Postmark
Marketer view

Email marketer from EmailSecuritySPF recommends setting an SPF record with `v=spf1 -all` for domains that do not send email, emphasizing this prevents unauthorized use of your domain name.

June 2023 - EmailSecuritySPF
Marketer view

Email marketer from MXToolbox recommends implementing SPF and DMARC even for domains that don't send emails. Set SPF to `-all` and DMARC to `p=reject` to prevent spoofing.

January 2025 - MXToolbox

What the experts say
3Expert opinions

For domains that do not send email, experts recommend implementing SPF and DMARC to prevent phishing attacks and unauthorized use. The recommended SPF record is `v=spf1 -all`. The DMARC policy should be set to `p=reject`. DKIM keys should be deleted; explicit revocation is rarely necessary, only in cases of misuse or compromise.

Key opinions

  • SPF Record: Use `v=spf1 -all` to indicate the domain never sends email.
  • DMARC Policy: Set DMARC policy to `p=reject` to prevent unauthorized use for phishing.
  • DKIM Key Management: Delete existing DKIM keys and do not publish new ones. Explicit key revocation is rarely needed.

Key considerations

  • Potential Misuse: Consider explicit DKIM key revocation only if the key was compromised and misused.
  • Policy Enforcement: Ensure DMARC policy is correctly implemented to effectively reject unauthorized emails.
Expert view

Expert from Email Geeks shares that he publishes a `v=spf1 -all` record for domains that don't send email, along with a DMARC p=reject policy.

April 2024 - Email Geeks
Expert view

Expert from Word to the Wise recommends setting up a DMARC record even for domains that don't send mail, to prevent them from being used in phishing attacks. He suggests a reject policy (`p=reject`).

November 2021 - Word to the Wise
Expert view

Expert from Email Geeks recommends to just delete the DKIM key and move on when removing a key. Explicitly revoking a key is useful only in rare situations, such as if it was misused or compromised.

April 2024 - Email Geeks

What the documentation says
5Technical articles

For domains that do not send email, documentation recommends setting an SPF record to `v=spf1 -all` to explicitly state that no email should originate from the domain. DMARC should be configured with a policy of `p=reject` to instruct receiving servers to reject unauthorized emails. DKIM is not strictly required, but if implemented, a wildcard record can invalidate all keys. Accurate syntax is critical for SPF record effectiveness.

Key findings

  • SPF Configuration: The SPF record should be set to `v=spf1 -all` to prevent email origination from the domain.
  • DMARC Policy: The DMARC policy should be `p=reject` to reject unauthorized emails claiming to be from the domain.
  • DKIM Requirement: DKIM is optional; if implemented, invalidate all keys using a wildcard.
  • Record Syntax: Correct syntax is vital for proper functionality and preventing deliverability issues.

Key considerations

  • DKIM Implementation: Carefully consider whether to implement DKIM at all for non-sending domains.
  • Policy Enforcement: Ensure proper DMARC policy enforcement to effectively reject spoofed emails.
Technical article

Documentation from DMARC.org advises setting a DMARC policy of `p=reject` for domains that do not send email. This instructs receiving mail servers to reject any messages claiming to be from the domain that fail DMARC checks.

April 2024 - DMARC.org
Technical article

Documentation from Microsoft mentions that DKIM is not strictly required for domains that do not send email, but it can be implemented with a wildcard record to explicitly invalidate all keys if desired.

June 2024 - Microsoft
Technical article

Documentation from Cloudflare indicates that using `v=spf1 -all` in the SPF record clearly signals that no email should originate from the domain, enhancing security. It emphasizes the importance of correct syntax to prevent deliverability issues.

October 2023 - Cloudflare
Technical article

Documentation from Google Workspace Admin Help explains that for domains that do not send email, the SPF record should be `v=spf1 -all`. This indicates that no servers are authorized to send mail from the domain.

May 2023 - Google Workspace Admin Help
Technical article

Documentation from RFC7208 specifies that the 'all' mechanism in SPF records should be used with a qualifier such as '-all' to indicate a hard fail, meaning no email should originate from the domain.

January 2023 - RFC7208