Spammers quite often ‘spoof’, or fake, the from address of an email.
As a result of this, many unsuspecting domain owners are being ‘blamed’ for spam that appears to come from their domain.
Fortunately, there is a relatively easy way to protect your domain from this: Publish DMARC policies.
If you are publishing SPF records and signing your email with DKIM, you can publish DMARC policies that tell receiving mail servers what do with emails that don’t align with the SPF and DKIM information.
SPF policies are DNS records that indicate what mail servers your mail is sent from.
DKIM is a way to add digital signatures to your email so that receiving mail servers can verify it was sent from an authorized source and that it wasn’t modified in transit.
Now what if you have a domain that you NEVER send email from?
Protecting those domains from being used in spam is even easier.
To protect your domain from being the victim of this tactic, you can essentially flag your domain to indicate it never sends email.
To do this, you implement a policy that states: Reject all mail that doesn’t align with published email policies.
What you need to do is go into your domain’s DNS manager and add two TXT records …
- A SPF record on the “@” (or root) domain containing “v=spf1 -all”. This tells a receiving mail server that you send from no servers and it should reject all others.
- Another TXT record named ‘_dmarc’ with the value “v=DMARC1; p=reject;”.
This DMARC policy tells receiving mail servers that it should reject all mail that doesn’t align with published SPF & DKIM information.
Since you aren’t publishing SPF or DKIM records, every email violates the policy, and all mail should be rejected.