Suped

How should DMARC, SPF, and DKIM records be configured for domains that do not send email?

Summary

Configuring DMARC, SPF, and DKIM for domains that do not send email is a nuanced topic. While some argue that these records are unnecessary if a domain will never transmit email, others advocate for their implementation as a protective measure against spoofing and phishing attempts. The consensus leans towards implementing at least SPF with a v=spf1 -all record and a DMARC policy set to p=reject for domains that explicitly should not send mail. DKIM's utility for such domains is debated, as it relies on keys that would not be used, potentially leading to unnecessary complexity without additional security benefits.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What email marketers say

Email marketers often approach DMARC, SPF, and DKIM for non-sending domains from a practical, risk-averse perspective. While acknowledging the technical redundancy if no emails are sent, many still see value in setting up basic authentication records to prevent domain spoofing and enhance overall brand security. The discussion frequently revolves around balancing simplicity with effective protection against malicious actors attempting to impersonate the domain.

Marketer view

Email marketer from Email Geeks queries the necessity of DMARC, SPF, and DKIM for domains that never send email, along with a proposed DMARC record example.

05 Jun 2020 - Email Geeks

Marketer view

Email marketer from Email Geeks states that if domains are strictly non-sending, these authentication records are not required.

05 Jun 2020 - Email Geeks

What the experts say

Experts generally agree on the importance of robust DNS configurations for domains, whether they send email or not. For domains not intended to send email, the consensus favors a clear and unambiguous declaration of this fact via SPF and DMARC records. While the necessity of DKIM for non-sending domains is debated, the overarching principle is to minimize the potential for domain abuse through explicit authentication policies, thereby protecting the domain's reputation and preventing it from being weaponized in phishing campaigns.

Expert view

Email expert from Email Geeks recommends setting up SPF and DKIM records even if not all Mailbox Providers (MBPs) use DMARC, citing an M3AAWG paper for best practices.

05 Jun 2020 - Email Geeks

Expert view

Email expert from Email Geeks confirms using a v=spf1 -all SPF record and a DMARC p=reject policy for their domains that do not send email.

05 Jun 2020 - Email Geeks

What the documentation says

Official documentation and RFCs provide the foundational guidelines for email authentication protocols. For domains that do not send email, these documents emphasize clarity and security. While not always explicitly detailing configurations for non-sending domains, the principles of DMARC, SPF, and DKIM suggest that a strong defensive posture is achievable through specific DNS record entries. This often involves defining what *shouldn't* happen with a domain's email, rather than what should.

Technical article

Documentation from RFC 7208 on SPF recommends using a "-all" mechanism (e.g., "v=spf1 -all") to indicate that no IP addresses are authorized to send mail from a specific domain, serving as a clear directive for non-sending domains.

28 Apr 2014 - RFC 7208

Technical article

Documentation from RFC 7489 (DMARC) states that a domain owner can use a "p=reject" policy to instruct receiving mail servers to reject all messages that fail DMARC authentication, effectively blocking unauthorized mail from domains not intended to send email.

26 Mar 2015 - RFC 7489

9 resources

Start improving your email deliverability today

Get started