TL;DR: A domain that never sends email can still be spoofed — attackers
love parked and unused domains precisely because nobody protects them. Lock each one down with a strict SPF record
(v=spf1 -all), a DMARC record at p=reject, and a null MX. It's a five-minute job per domain.
Scan each domain free to confirm it's protected.
Why parked domains are a target
If your business owns several domains — old brands, regional variants, typo-catchers — but sends mail from only one, the
others are usually wide open. They have no SPF, no DMARC, and no one watching them, so an attacker can send convincing
phishing "from" [email protected] with nothing to stop it. The domain doesn't need a website or a
mailbox to be abused — just a name in the From line.
The three records to publish on each non-sending domain
| Record | Value | What it does |
|---|---|---|
| SPF (TXT) | v=spf1 -all | Says "no server is allowed to send for this domain" |
DMARC (TXT at _dmarc) | v=DMARC1; p=reject; rua=mailto:you@… | Tells receivers to reject any mail and reports attempts |
| Null MX | 0 . | Declares the domain accepts no mail |
Together these say, clearly and machine-readably: "this domain sends and receives no email — reject anything claiming otherwise."
How to do it
- For each non-sending domain, add the SPF, DMARC and null-MX records above in its DNS.
- Use
p=rejectstraight away — there's no legitimate mail to break, so there's no staged rollout needed. - Point the
ruareports to an inbox you check so you can see attempted abuse. - Scan each domain to confirm SPF and DMARC are in place and enforcing.
FAQ
My domain has no website or email — why bother?
Because spoofing doesn't need either. As long as the domain exists, someone can forge its From address unless you publish a reject policy. It's cheap insurance for your brand.
Can I use one DMARC record for all my domains?
No — DMARC is per-domain. Each domain needs its own records, though you can send all their reports to the same inbox.
What's a null MX?
An MX record of 0 . that formally declares the domain accepts no email, so senders fail fast instead of
retrying.
Own several domains and not sure which are exposed? Scan them, then reply to your report — we're developers and we'll lock down every parked domain you own for you.