10

What is the appropriate way to set up a DNS record that says "this domain has no mail server"?

I assume I need a special MX record to do this, otherwise it will be assumed that the A record is the answer.

I ask this question because it seems like it would be better to stop the mail at the front line, so it does not become the responsibility of the webserver to reject mail for the domain in question.

poige
  • 9,171
  • 2
  • 24
  • 50
700 Software
  • 2,163
  • 9
  • 47
  • 77
  • 2
    I am tempted to say set something like `MX 0 localhost.` That would bounce it back to the sender. – Zoredache Oct 04 '12 at 23:56
  • 3
    Don't run a mail server. – Michael Hampton Oct 05 '12 at 00:06
  • 5
    @Zoredache Bad mail admin! RFC violation. – HopelessN00b Oct 05 '12 at 00:06
  • How do you solve the mail for abuse@ ? Someone should read that mail. For every other mail address which is not given out (e.g. because it does not exist): tarpit with extreme prejudice. – Hennes Oct 05 '12 at 00:43
  • 1
    The abuse@ address is optional. Only an administrative email address is required and that doesn't have to be on the same domain. – John Gardeniers Oct 05 '12 at 03:52
  • 1
    The web server is never responsible for processing email. A web server would in fact only receive SMTP connection attempts if it was on the domain's A record address, there is no MX record *and* it listens on port 25. Even under those circumstances, because the web server doesn't speak SMTP those connection attempts would be silently ignored. – John Gardeniers Oct 05 '12 at 03:57

4 Answers4

10

Due to the fallback of directly contacting a host via its address records, a single "null MX" record of "MX 0 ." is the apparent preferred way to indicate that the host does not accept e-mail. This is similar to a "null SRV" record ("SRV 0 0 0 .") which specifically marks a service as not available (per the SRV-RR RFC 2782).

This has been standardized by RFC 7505 (as of December 2017 it is a proposed standard).

"MX 0 localhost." (or equivalent label pointing at ::1 and 127.0.0.1) is also acceptable but more appropriate for a host that must send mail to itself (e.g. cron job output) which does not accept external mail. Such hosts may have an operational mail server which is firewalled off from the Internet but other services are accessible.

Having no MX record and blocking the SMTP port does not stop people from wasting one's incoming bandwidth trying to contact a non-existent server. The single MX record methods above do prevent such traffic because address-type records are never tried when at least one MX record is present. This will probably not stop some spammers from trying to contact a host directly via its address records. However, as it does stop legitimate traffic from trying, you'll be able to identify spam sources with 100% certainty.

Using private addresses should not be used because one cannot tell where they'll end up. Using other reserved addresses (e.g. documentation address of 192.0.2.0/24) is also inappropriate except where trying to identify and trap spammers within one's own network when they try to connect.

Mr. X
  • 200
  • 1
  • 2
3

I don't know what the "standard" way is, but here's one I've run across: set an MX record to a loopback address.

I suppose any private IP address (or otherwise "invalid" IP - 0.0.0.0) would do the trick. I personally think it's kind of a lousy thing to do, but it would do what you want. You could couple it with a hostname like thisdomaindoesntacceptemail.sostopsendingit as a service to the mail admin who'll end up with the ticket for "email being down" because your domain won't accept email. :)

However, why not just remove the MX record, and set your firewall rules on the A record to block SMTP and TLS (and any other mail ports)?

That would get the point across, and any admin who does a lookup will see no MX record, and refused connections on the fallback A record will remove any doubt about the intent of your configuration, should anyone even look more closely after seeing no MX record.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • 4
    If you are evil you could [TARPIT](http://en.wikipedia.org/wiki/Tarpit_(networking)) the SMTP ports. >:) – Zoredache Oct 05 '12 at 00:08
  • 1
    @Zoredache Or for even more confusing evil, use someone else's SMTP server as your `MX record`. – HopelessN00b Oct 05 '12 at 00:10
  • @Zoredache haha i will do that :)) – golja Oct 05 '12 at 00:31
  • 3
    To quote your own comment "Bad mail admin! RFC violation". – John Gardeniers Oct 05 '12 at 03:59
  • @JohnGardeniers Be fair. I did say I thought it was a lousy thing to do, and suggested a better, RFC-compliant solution as well. But we're not here to stop people from blowing their feet off, if that's what they decide the want to do, after having a chance to make a fully informed decision. – HopelessN00b Oct 05 '12 at 09:44
2

A simple TXT record will do this for you, set the SPF records to have a null value with a hard fail:

@ IN TXT "v=spf1 -all"
* IN TXT "v=spf1 -all"

That's how I ensure a domain can't be phished that I use to internal or non-mail services.

Matt Mc
  • 29
  • 1
1

I think specifying non-existent DNS name as domain mail hub (MX) would suffice.

UPD.: And finally there is https://datatracker.ietf.org/doc/html/draft-delany-nullmx-00

UPD. 2: This eventually evolved to a IETF proposed standard now: RFC 7505: A "Null MX" No Service Resource Record for Domains That Accept No Mail

poige
  • 9,171
  • 2
  • 24
  • 50
  • The RFCs permit falling back to the A record if no MX record exists. http://en.wikipedia.org/wiki/MX_record#History_of_fallback_to_A – Zoredache Oct 04 '12 at 23:54
  • 1
    Yes, let's add another broken DNS setup to the Internet. – John Gardeniers Oct 05 '12 at 03:58
  • @Zoredache, it says in *absence* of MX. – poige Oct 05 '12 at 08:09
  • @JohnGardeniers, who cares? You? Why? Either you have better idea, or you have really horrifying visions of why mine would be too bad to ever think of. So, what's yours? Neither? – poige Oct 05 '12 at 08:10
  • @poige Good thought with that draft, but unfortunately, it never went anywhere, so there's no "official" way to say `this domain doesn't accept email`. – HopelessN00b Oct 05 '12 at 09:49
  • @HopelessN00b, yep. But as I already've said non-existent domain name would probably be the best fitted thing that "just works" (except for purists, of course [it would work for them too, but they won't admit it anyways ☺]). – poige Oct 05 '12 at 11:07