It's only logical to use DMARC to avoid email spoofing. Nobody wants spam emails from a spoofed domain, which may easily lead to a successful phishing attack or a breach of company email channels. However, for domains that don't transmit or receive an email, have you set up DMARC? It makes sense for facebook.com to also own facenook.com as an insurance policy against phishing campaigns and attackers.

Turn off Mailing for Parked Domains

Why publish a DomainKeys Identified Mail (DKIM) entry in your DNS if you're never going to cryptographically sign outgoing email? It may sound illogical. Why bother with a Sender Policy Framework (SPF) record if you'll never get a legitimate email from your domain? It's because it's a failsafe.

These are the recommended methods for preventing faked mail from being delivered by a fraudster using a domain you control when combined with a DMARC record and a null mail exchanger (MX) record.

Implement SPF for a Parked Domain

Because you, as the domain operator, will publish a DNS TXT record notifying the world which servers may send an email on behalf of that domain, SPF prevents fraudsters from sending emails from a domain they don't control. When email service providers receive an email, they verify the DNS entry for the host in question to determine if it is permitted.

To avoid email spoofing, configure the SPF for a parked domain as follows:

example.com. TXT "v=spf1 -all"

Implement DKIM for Parked Domains

Most email providers now support DKIM, in which the email server uses a private key to cryptographically sign outgoing emails, and the corresponding public key is published in the Domain Name System (DNS). DKIM informs recipient email servers that the incoming email is from the server it claims to be from and that it has not been tampered with in transit.

According to RFC 6376, which controls DKIM, an empty public key value (p=) indicates that ‘this public key has been revoked’. This has the de facto effect of announcing that no valid DKIM exists for this domain, and as a result, all DKIM tests by receiving email servers should fail.

*.example.com. TXT “v=DKIM1; p=”

Implement DMARC for Parked Domains

SPF and DKIM are linked by DMARC in two ways. A domain's DMARC record is first published as a public declaration of what should happen to an email that fails both SPF and DKIM tests: Only monitor (p=none), quarantine or mark as spam (p=quarantine), and outright reject (p=reject).

Second, DMARC requires SPF and DKIM alignment, which generally involves including third-party email senders like Mailchimp, Zendesk, and others in your SPF record.

_dmarc.example.com TXT "v=DMARC1; p=reject;

rua=mailto:[email protected]; ruf=mailto:[email protected]”

Implement a Null MX record

Another precaution that can be taken to thwart faked emails on parked domains is to use a null MX record, as defined by RFC 7505.

example.com MX 0.

*.example.com MX 0.

The first line informs the world that the domain does not have an email service. The second line conveys that no email service is accessible for any subdomains.

These methods will help you implement a failsafe system that doesn’t only protect your original domain but misspelled domains that may have been used for phishing and spoofing. To learn more about Email Authentication, head to EmailAuth.

Original source:
https://www.evernote.com/shard/s373/sh/074065ac-6520-b5c9-4725-a6b4...