letter, email, mail-6532620.jpg

How do I protect domains that don’t send email?

Protect Domains that don’t send email

The fact that email is a vital part of business is undeniable. More than 350 billion emails are sent every day, and it is estimated that less than 15% of them are legitimate or requested. Make sure that you don’t let Spammers and Phishers use your domains to send email that pretends to be you. 

To do this you must protect domains that don’t send email. You achieve this using Sender Policy Framework (SPF) ,  Domainkeys Identified Mail (DKIM)and Domain-based Message Authentication, Reporting and Conformance (DMARC)  in exactly the same way that you do for your primary domain.

Why have Domains that don’t send email

protect domains that donCompanies often have multiple domains, sometimes they are as simple as multiple Top Level Domains (TLD). This is done to help protect the company name and brand from Cyber Squatting. i.e. A company might own Company.co.uk, Company.com, Company.eu etc.

In this case the domains and, usually, the www.Company are redirected to the domain that the company considers to be their Primary Domain. That is the domain where they host their website. This means that whenever someone trys to visit any of the other domains they automatically get redirected to the company website on their primary domain.  

Sometimes this happens as the result of an aquisition or company merger, the domain of the aquired company is forwarded to the new company. Occasionally domains are aquired for brand protection of specific products, they may host a website but they rarely are used to send email.

The same is normally true for inbound email. i.e. email addressed to bob@Company.com gets sent through to bob@Company.co.uk.   However people rarely think about outbound email, as they just know that they are going to be using the domain for sending email.

Protect domains that don’t send email

You protect domains that don’t send email in exactly the same way as you do for your email domains and use SPF, DKIM, and DMARC to protect your email and tell receivers what to do if they receive an email out of policy.

  • Sender Policy Framework, or SPF for short, is a DNS text record that lists the domain names, or IP Addresses, which are allowed to send email on behalf of your domain.
  • Domainkeys Identified Mail, or DKIM, DNS records present a digital signature which authenticates the sender as being authorised to send email.
  • Domain-based Message Authentication, Reporting and Compliance, or DMARC, records hold the policy on what should happen to an email if it fails the SPF or DKIM checks.

The Policy failure options are:-

  • p=none            – Do nothing, let the email through. Normally used during setup and discovery
  • p=quarantine    – Send the email through to Spam and let the end user decide
  • p=reject           – Reject the email 

How should I set SPF, DKIM and DMARC records for domains that don’t send email

You protect domains that don’t send email by setting SPF, DKIM, and DMARC.

  • SPF set this to v=spf1 -all 
    • i.e. no domains or IP addresses configured and fail anything not listed
  • DKIM create a TXT record called *._domainkey.yourdomain.com and set it to  v=DKIM1; p= 
    • Where yourdomain.com is your domain name . i.e. systemassure.co.uk
    • p=  This is an empty public key as there is no signature
  • DMARC create a TXT record called _dmarc.yourdomain.com and set it to  v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s
    • v=DMARC1 tells the server that this DNS record contains a DMARC policy.
    • p=reject indicates that email servers should reject emails that fail DKIM and SPF checks.
    • adkim=s represents something called the alignment mode. In this case, the alignment mode is set to “s” for strict. Strict alignment mode means that the server of the email domain that contains the DMARC record must exactly match the domain in the From header of the email. If it does not, the DKIM check fails.
    • aspf=s serves the same purpose as adkim=s, but for SPF alignment.

This then tells anyone receiving email from your domain:- If you have recieved anything fail the email.  If the email has failed then it should be rejected for the domain and all subdomains.

To find out more about DMARC and how it can help your business complete the form. We can set up a 2 week trial and provide you with a Free DMARC status report

This will highlight:-

  • The volume of email sent during the period 
  • How much of the email was compliant
  • The volume of emails sent illegally 
  • Where the illegal email is coming from
  • Next steps
Read more about our email Security DMARC Reporting service. Start protecting your business email and your customers from illegal Spam.