1

I have a bunch of domains, let's say:

  • example.org
  • example.com
  • example.net
  • example.be

My mail server is running on mail.example.net. I only use the domain example.com to send and receive emails. All the other domains are only used to receive emails which are any way redirected to the example.com domain. example.com has SPF, DKIM and DMARC working properly.

In order to know if I'm being impersonated from the other domains (an info given by the ruf DMARC report), I was wondering if I needed to configure DKIM besides DMARC and on the .be, .org and .net as well?

If I'm not wrong and from my understanding, I think I only should configure DKIM and DMARC on the domains used only for redirection. I don't think SPF is mandatory on the domains not used to send emails.

Please give me your recommendations.

This question may be somewhat tied to this one.

wget
  • 285
  • 2
  • 7

1 Answers1

5

If you do not protect a domain with SPF and DMARC other users on the Internet can use that domain for sending spam or phishing. This is true even if you do not send or receive email on that domain.

Even in the case where you only receive email on that domain, it is also recommended to set SPF and DMARC for the same reason.

Marco
  • 164
  • 7
Tom Baires
  • 204
  • 1
  • 4
  • This is where the SPF record of "v=spf1 -all" and DMARC of "v=DMARC1; p=reject" come in. I default that as the 1st records setup (after NS, obviously) on all my domains to reduce their availability to spammers. Great practice to be in (as well as CAA records to help limit SSL certificate issuance to the CA you use) – Ruscal Jan 04 '18 at 22:50
  • 1
    Please reference the guidance from M3AAWG Best Practices document regarding 'parked' domains (https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bp-2015-12.pdf). The guidance for a 'parked' domain can be used to protect any domain which is not intended to send email (regardless whether it can receive email). – jnaab Oct 26 '18 at 16:23