If you have domains that you're not using for email, please set up DNS records to prevent spammers from using them.
. TXT "v=spf1 -all"
. MX . 0
_dmarc. TXT "v=DMARC1; p=reject;"
Conversation
Is this just primary domains, or subdomains too? If I have SPF/MX established for mydomain.invalid do I also need such records for blog.mydomain.invalid or mail.mydomain.invalid too?
3
Many things for sub-domains should percolate up to parent domains with these records.
Emphasis on โshouldโ.
1
2
You need to add the NULL MX and SPF records alongside every A and AAAA record. DMARC applies to subdomains unless they provide their own policy. Just make sure not to have a permissive policy for subdomains via the sp parameter. SPF hardly does anything. It's DMARC that matters.
DMARC requires valid, aligned SPF / DKIM. The policy specifies what to do when it fails to pass. A p=reject policy will prevent spoofed emails from the domain to providers enforcing DMARC. SPF itself doesn't stop spoofing since it does not need to be aligned with the FROM header.
2
1
3
Also, hardly anyone enforces SPF even with a hard fail policy, but it's not particularly relevant since it doesn't have to be aligned. SPF will pass with a spoofed FROM header as long as MAIL FROM (relay) passes. DMARC is what makes SPF and DKIM actually function properly.
2
1
2
Show replies