In order of importance: set up DMARC and then set up DNSSEC. Fill in the NULL MX records and SPF records for every A and AAAA record if you want to go the extra mile. It's much less important than the baseline. DMARC will still reject spoofed mail without having an SPF record.
Conversation
I agree that null MX is a good thing.
But I think it is only needed for domains that are having unauthorized email sent on their behalf.
DMARC makes it easier to identify these domains. At least from recipients that participate in DMARC.
1
I think you're misunderstanding the purpose of null MX. It declares that the domain doesn't receive email. It doesn't forbid sending mail. It can still be used to send email that passes DMARC verification via either a valid and aligned DKIM signature or valid and aligned SPF.
1
I’m aware of the difference.
If I have control of my DNS, and the firewalls / daemons in the A / AAAA records that don’t have a null MX, and MXs for the parent names are properly configured to not handle mail for child domains, then what is the effective difference?
1
Email for child names is still not going to come in.
So I don’t see a need for a null MX other than to indicate to others to not send email to the domain.
I’m not aware of a sufficient number of receiving servers rejecting email if they can’t send to the purported source.
2
Again, you're misunderstanding the purpose of null MX. It announces that a host does not receive email. It is not about sending email. The purpose of null MX is so that a mail server can immediately see that it cannot send email to that host. It doesn't need to keep retrying.
3
The RFCs recommends that mail servers attempt to send email repeatedly over a substantial period of time if they get a soft failure. Attempting to connect to a mail server via the A or AAAA record and not finding one is a soft failure. It could just be temporarily down.
2
The purpose of null MX is to immediately inform the sender that they CANNOT send mail to the host. They should not keep trying to do it repeatedly as they would normally be expected to do. It's not an anti-spoofing mechanism. It's not about sending mails. It allows fast fail.
2
It allows the software sending the mail to quickly report that they cannot send mail to that domain. Otherwise, they would keep retrying for days and eventually produce an error message. If you want it fully set up, you need one for every A/AAAA record. That's the point.
1
Agreed.
But as a would be receiving domain owner, why do I care what someone goes through trying to send to a domain that they should not be using?
What is the ROI for the domain publishing the null MX record?
1
So that if someone tries to send an email to your host they get immediately noticed instead of days / weeks later where they can't even remember what it was they sent anymore. It might actually help you. It's a nice UX improvement by having a nice hard fail error immediately.
I don't really see much connection to spam or anti-spoofing. It's a minor usability and resource saving feature. It's a nice little extra. I personally configure SPF and null MX for every A/AAAA record that shouldn't send email but neither of those actually does much in practice.
2
Since SPF alone does not prevent spoofing at all (since it passes with MAIL FROM) even with a hard fail policy and a receiver fully enforcing SPF, and DMARC does not treat absence of SPF as SPF passing, so p=reject with no DKIM signature and no SPF policy results in rejection.