Protecting Parked Domain Names

When a domain name is registered without an immediate need to use the domain or when used in a limited context they are often referred to as "parked". These domains, or subdomains, are not meant to send email and publishing specific DNS types helps stop third parties from abusing domains and their reputation.  

SPF (Sender Policy Framework)

Create an SPF TXT record in DNS with no senders. This is referred to as a "naked" -all record.   

example.com TXT "v=spf1 -all"

Create a record for each subdomain, unless wildcard records are allowed by your DNS provider. 

*.example.com TXT "v=spf1 -all"

Domain-based Message Authentication, Reporting and Conformance (DMARC)

Create a DMARC TXT record that specifies Mail Receivers reject email that fails the DMARC checks.

_dmarc.example.com TXT "v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1"

Including the RUA tag in a DMARC record allows you to receive reports of potential abuse but this is optional and may cause extreme quantities of failure reports. 

Null MX Record

If you have an "A record" but no MX record you should create a null MX record to fail any email to that domain. If you don't a mail server may try to send email to the A record which may be outside your control. Create a record of type MX, with a priority of 0 (highest priority) and a host name of .

example.com MX 0 .

For all subdomains...

*.example.com MX 0 .

Wildcard DKIM Key

An email with no valid DKIM signature will be treated with more caution.

*.example.com TXT "v=DKIM1; p="

Certificate Authority Authorization (CAA)

Specify that certificates should not be issued for the domain. Create a nullified CAA record in DNS.

example.com CAA 0 issue ";"

and for subdomains...

*.example.com CAA 0 issue ";"

Further Reading

https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bp-2015-12.pdf

https://datatracker.ietf.org/doc/html/rfc7489#section-6.3

https://www.gov.uk/guidance/protect-domains-that-dont-send-email

https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization