How to protect domains that don’t send email
A domain that doesn’t send email can be used in phishing and spoofing attacks. If you have a domain that you do not use to send any email from, for example a domain that redirects to a landing page or a misspelling of your main domain, it’s important to effectively “shut down” email on that domain. Not only does this protect your reputation, but you can help prevent others from being attacked.
To lock down your domain, you need to add or edit some DNS records. The first one is an SPF record. We automatically add a SPF record when you add a domain to your hosting account. You can find your SPF record for any domain by following these steps:
- Login to cPanel
- Click on Zone Editor
- Click “Manage” next to the domain you want to mange
- Filter by TXT records.
- Look for a record that starts with “SPF”.
You will probably see it as simple as:
v=spf1 ipv4:<serverIP> +a +mx ~all
Edit the record and replace it with the following:
If you don’t see a record that starts with “v=spf1” then you do not have a SPF record and you need to create it.
To create a new record, click on Add Record and select Add TXT Record:
In the name column, enter your domain name followed by a full stop, for example:
example.com. Leave the TTL and Type as default. In the record box, type in
v=spf1 -all and click save.
Next, look for a domain key record. It will look something like this:
If you already have one, edit it and change the
default to a
* which is a wildcard.
default is the selector and changing it to a
* is a wildcard meaning it will match anything. Edit the record so that it looks like the following:
v=DKIM1; p= and save the record.
If you’re missing a domain key record, create it just like the SPF. Be sure to set the name to
*._domainkey.yourdomain.com. replacing yourdomain.com with your actual domain.
The last DNS record to find or add is a DMARC record. This one you may not have and will probably need to create. It’s also a TXT record and it looks like:
_dmarc.example.com and the record value can vary. Edit or create this record with the following:
v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s
All together, your TXT records should look like this:
With these three records in place, you have effectively shutdown email on the domain and have prevented spoofing.
Note: You can still receive email on this domain, you just cannot send email from it.
If you have questions or run into issues, please open a ticket: https://my.nodespace.net/submitticket.php