12

I have some domains registered that do not send mails.

I have totally removed MX record for these domains on my DNS.

Is it still useful to set an SPF record in order to avoid spammer to send mails as these domains?

I read here that for domains that do not send mail the SPF record setting is always:

mydomain.it. TXT "v=spf1 -all"

This is the simplest possible SPF record: it means your domain mydomain.it never sends mail.

But do I still need to set these since I even removed the MX record?

What I'm afraid is that some spammer uses one of these domains (domainA) and sends spam, since domainA is on the same IP of domainB that DO sends mail, I'm afraid an ISP could ban as spam mails coming from such IP and therefor mail coming also from domainB will be banned too.

Thanks!


FYI: I'm using a cPanel account with dedicated IP to host domains the mail server usese the same dedicated IP


UPDATE: from answers below I understood that for this specific case, SPF are not needed except for helping the interent in recognizing immediately as spam a spoofed email address using one of those domains. But no one answerd to the last part of my question.

  1. Spammer sends mail pretending to be name@domainA.com
  2. domainA.com does not have MX record
  3. ISP recognizes name@domainA is spam, does the ISP ban the IP of domainA, or just the domainA???
  4. If ISP bans the IP of domainA, the poor domainB (with MX record) that DO sends email and it's on the same server IP would it get banned too, wouldn't it?
Marco Demaio
  • 580
  • 1
  • 8
  • 22
  • If 4. ever happened it would be trivial to get other people's domains banned. It doesn't work that way. – JamesRyan May 29 '12 at 11:30
  • 4 is exactly how the internet works. You should make sure you do not share the same IP address with a spammer, or even share the same subnet. Very often, if the web hosting fails to be proactive, their whole subnet is listed by Spamhaus. Controversial yet very effective. Which is why choosing a reputable and proactive shared host is important. – Henry Chan Jul 17 '16 at 06:24

7 Answers7

12

No spf records are NOT required if your domain doesn't send emails

however for benefit of reducing the risk of spam mail coming from that domain setting the spf record of

"v=spf1 -all"

is good so that spf checking servers see this and automatically reject email from that domain

anthonysomerset
  • 3,983
  • 2
  • 20
  • 24
9

If you don't intend to send mail from this domain, why let anyone else to use it as they wish? But things have changed since this question was asked eight years ago. SPF can only protect your domain from being used as the envelope sender, but SPF can't protect the From: header.

I'd go even further by adding a DMARC alignment.

@       IN      TXT     "v=spf1 -all"
_dmarc  IN      TXT     "v=DMARC1; p=reject; aspf=s; adkim=s;"

All subdomains inherits the DMARC policy, but SPF isn't inherited by the subdomains. Therefore, you'd need to add a corresponding SPF record for every A record you have, too.

There's no need to publish any DKIM records as there's no-one signing the messages anyway.

I didn't add the rua= and ruf= because in this situation there shouldn't be any false positives to be fixed. If you are curious enough to collect data on how much this domain is used for spoofing, you can add e.g.

rua=mailto:dmarc-report@example.com; ruf=mailto:dmarc-report@example.com; fo=0:d;
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
8

You don't strictly need to publish any SPF records at all, it is a voluntary system.

That said, if you do publish an SPF record, you can:

  • Help the Internet at large a tiny, tiny bit because it gives spammers one less domain to spoof. (Marginal benefit, but...)
  • Help preserve your domains 'reputation' by making it less likely to be spoofed in spam.
  • Proactively show that your domain isn't engaged in some MX-record-less hack yet still (by mistake perhaps) sending emails.

Update after OPs update: OK, so first off, it sounds a bit wrong that there are "many" domains on this IP and adding SPF for them all is difficult -- you shouldn't have domains you don't have a reasonable need for.

Regarding blacklisting: Generally, most IPs won't blacklist anyone for 'smaller' spam volumes. There is no way to say what criteria an ISP might blacklist on, since there are many different ISPs out there, and each is entitled to his own opinion. That said, if it came to blacklisting for you (unlikely), then the most likely targets are MX records and ranges of IP addresses.

  • SPF record is not in place, not true it would take me nothing to add the record `mydomain.it. TXT "v=spf1 -all"`, because I have many domains. Good idea about preserving the domain reputation, but what about other domains on same IP? (plz see my question update). – Marco Demaio Jul 22 '11 at 17:15
  • @Jasper Mrtensen: thanks for the update, about what you say `you shouldn't have domains you don't have a reasonable need for` I need those domains because I have customers that want them. – Marco Demaio Jul 23 '11 at 15:53
5

You can add those SPF records and they will help prevent some of your concerns. SPF is always optional but nice to do.

UPDATE

As to the second part of your question, it sounds like the issue is really about how email works and how "banning" works.

  1. OK
  2. OK
  3. It bounces the message. That is different than banning. There is a separate process that can result in listing the offending IP address, not of domainA, but of the sender's network IP address and potentially IP addresses also in the same network, in a blacklist.
  4. See above.

Banning isn't done only by domain. Rather the offending network is where the battle is most frequently fought. It's generally a DNS mechanism but other methods exist in addition.

Your fear about affecting legitimate email from another domain really comes down to how that IP network behaves and whether it is generally spammy or not. Even getting banned is usually a temporary thing. You get listed on a blacklist and they you eventually get removed.

Stay ontop of any abuse emails from your ISP. This is a sign that someone is reporting you for spam and you may have some trouble.

dmourati
  • 24,720
  • 2
  • 40
  • 69
1

It is a best practice to have a "does not send" SPF record (i.e. "v=spf1 -all") on every HOST within a domain that doesn't otherwise have a different SPF record -- as well as for the domain itself plus any non-host label in the domain that has MX or SMTP-service-SRV records. The idea is to permit detection that the host-part of a sending mailbox is forged, and for those idiots that don't check others' SPF records, that you have protected all possible labels in your domain that could be backscatter targets.

Is it optional? Not really if you want to avoid any potential for your domain(s) being abused.

Mr. X
  • 200
  • 1
  • 2
0

No, you don't need it. If you aren't running an SMTP server, no spammer can contact your server. But you could leave it, so others can check your domain records when deciding if they deal with spam.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • And what about other domains that DO sends mail on same server IP? (plz see my question update). – Marco Demaio Jul 22 '11 at 17:16
  • To protect your reputation I'd remind that this opinion has become a bit outdated. :) – Esa Jokinen Feb 25 '19 at 08:37
  • @EsaJokinen: You are probably right :) – Sven Feb 25 '19 at 08:57
  • I've used to have `"v=spf1 -all"` + DMARC `"v=DMARC1; p=reject; aspf=s; adkim=s;"`on domains that are merely for some redirects or static web pages and were never intended for email, and shared that as a new answer here. (In my setups, there are `MX` servers that usually replies to every `RCPT TO` address with connection-stage reject having a human readable message "see site for contact information", but that's just a good customer services and too far away from what has been asked. :) ) – Esa Jokinen Feb 25 '19 at 09:13
0

If you have the time, it would be best to have SPF records on all your domains, even if it's just the fail all record. If you don't, then add an SPF record only to those domains that you do send mail from.

If a spammer fakes your domain or IP, the SPF record will help minimize the damage--and signing with DKIM would do even better--but there's nothing at present that will completely prevent there being some damage to your domain reputation. You just have to be ready to repair it by contacting any ISPs that might block your mail as a result--which I must say is very unlikely unless someone is specifically targeting you. (There are delivery consultants out there who can help with the repairing, too.)

Even though domain reputation is becoming more important, many ISPs still block mail based on IP addresses. They also block mail containing domains (not just from, but having the domain anywhere in the email) with poor reputations. So the answer is yes, having domainA blocked can affect domainB if they send through the same IP address or domainA is contained in mail sent from domainB.

John
  • 1