If you have domains that you're not using for email, please set up DNS records to prevent spammers from using them.
. TXT "v=spf1 -all"
. MX . 0
_dmarc. TXT "v=DMARC1; p=reject;"
Conversation
Is this just primary domains, or subdomains too? If I have SPF/MX established for mydomain.invalid do I also need such records for blog.mydomain.invalid or mail.mydomain.invalid too?
3
Probably just for domains that you have MX records for Tim.
1
1
If an MX isn't present, mail should fall back to the A/AAAA for any domain, suggesting I might need SPF info for all sub-domains too (not sure about any wildcard subdomains),
2
Ideally, you should add a NULL MX record alongside every A or AAAA record along with an SPF record. However, all that really matters is the top-level DMARC policy for the domain. SPF hardly does anything by itself. It's DMARC with a reject policy that prevents spoofing emails.
SPF can pass based on MAILFROM rather than FROM, i.e. someone can spoof an email from your domain but send it from a relay with valid SPF. SPF does not prevent spoofing. DKIM doesn't either since mail doesn't have to be signed. It's DMARC that makes this actually stop spoofing.
1
1
So, definitely have a p=reject (or at least p=quarantine) DMARC record for every domain. If you want to be a perfectionist, add the NULL MX and SPF records for every single A or AAAA record but... those don't do much. NULL MX just gives fast fail which is nice for mail servers.
1