|Technical Recommendation of the National Cybersecurity Centre: Protection of "Parked" Domains
|Initial version of the document
|If a domain is not used for sending email it must have a DNS record of the SPF TXT type, associated, known as "naked" -all. An example of such a record is the following:
exemplo.pt TXT “v=spf1 -all”
This record indicates that no address/server is authorised to send email on behalf of the domain "example.pt".
In the case of sub-domains, their protection may take a little longer since a DNS record has to be created for each potential sub-domain which does not need to send email.
|If a domain is not used for sending email, it must have a DNS record of type DMARC TXT associated, specifying "p=reject", configured as follows:
_dmarc.exemplo.pt TXT “v=DMARC1; p=reject; rua=mailto:rua@
The inclusion of the rua tag is important as it allows the domain owner to receive aggregate reports of possible abuse. The presence of a ruf tag is optional but recommended. As the "exemplo.pt" domain is not configured to receive email, the "rua" and "ruf" tags must specify an address belonging to an active email domain.
|NULL MX Record
|If you have an A and/or AAAA type DNS record (A/AAAA re- cord) associated with your "parked" domain you must create a "Null" MX record. If this record is not set, a forwarding server may try to send an e-mail message to the IP address specified in the A and/or AAAA record.
Therefore, a DNS record of type MX with a priority of 0 (highest priority) and a hostname of ".” must be created:
exemplo.pt MX 0.
|DKIM Wildcard Registration
|Setting a null or empty DKIM record is not absolutely necessary since the e-mail message would probably be treated in the same way if there were no record at all.
However, setting such a record may be useful, since some recipients will treat a null DKIM record with extra care, as it explicitly revokes any cached keys.
The following record signals that no email can be signed to your parked domain:
*._domainkey.exemplo.pt TXT “v=DKIM1; p=”