Protect parked domains against spoofing

No-one wants to see their company be subjected to spoofed emails or suffer the well-documented consequences that forged emails can bring. Consequently, more and more companies are choosing to implement DMARC for their sending domains that are used for email.

But parked domains or domains that are not used for email are easily forgotten. These domains, too, are frequently targeted by spoofing – it is a security risk for companies and their customers, and it should not be overlooked. One method of reducing the risk is to use the DNS settings and the already existing security protocols to block outgoing email.

Protect your domains (that are not used for email) against spoofing

By using DNS settings and existing security protocols to block outgoing email, you can prevent spoofed emails from reaching inboxes all around the world. Technically it means that you are adding DKIM, DKIM and SPF to the zone files for all these domains. Doing this will tell the receiving servers that no email from the domain should be approved, and how to act when they receive an email that is not authorized.

NOTE: If the domain is being actively used for email, the guide below should not be followed – read more about the DMARC service instead

  1. Create an SPF for your domain which includes subdomains.

An SPF decides which email servers are allowed to send email on behalf of a domain. Each time an email is received, the receiving email server checks the DNS post to see if the email server the email was sent from is authorized or not.

Through configuring a parked domain’s SPF as shown below, you are telling the receiver that there is no email server whatsoever that is allowed to send emails on behalf of this domain.

(Change example.com to your own domain – all examples)

“`

example.com TXT v=spf1 -all

“`

And the record below for subdomains:

“`

*.example.com TXT  v=spf1 -all

“`

     2. Add DKIM

DKIM ensures that the receiving server knows that the emails come from the domain they claim to come from, and that their contents have not been manipulated. This is done by the sending email server signing the emails with a private key, which gets a matching public key published in the domain’s DNS.

An empty value for the public key means that this has been recalled. The effect is an invalid DKIM, which means that the DKIM-control of the receiving email servers should fail.

*._domainkey.example.com TXT  v=DKIM1; p=

This DKIM post works for both domains and subdomains, and states that all email sent from these domains should be considered false.

    3. Use DMARC

DMARC joins SPF and DKIM and states how email should be handled if it is not approved in the SPF and DKIM controls. There are three scenarios:

• Monitoring only (“p=none”)
• Quarantine as spam (“p=quarantine”)
• Instant rejection (“p=reject”)

By following the above for SPF, DKIM and DMARC, the message is that no email is legitimately sent from the specific domain, and if it happens, it should be rejected.

“`

_dmarc.example.com TXT  v=DMARC1; p=reject;

“`

P.S. If you want to monitor the email traffic for the domains in questions, you will also need to add a receiving address for the XML-files that are sent by the email clients (RUA). If you have a DMARC partner, ask them about an optimal reporting setup. 

“Job half done”

In order to protect your name and reputation, it is important that you own the right domain names. This includes relevant misspelled domains (typosquatting). Owning such domains is an important tool against spoofing and other potential risks.

At Dotkeeper we are happy to answer questions about how you can protect yourself against email fraud, and to help you onwards with preventing email from parked domains. Drop a line at hej@dotkeeper.com and we will get in touch!