Non-sending domains are prime spoofing targets because they typically have no authentication records. Attackers send phishing email from your parked domain, and without DMARC, receivers have no way to reject it. Set up a null SPF record (v=spf1 -all), an empty DKIM record, and DMARC at p=reject for every domain you own that doesn't send email.
Why You Need DMARC Even If You Don't Send Email
The Spoofing Risk
If you own yourbrand.com and also registered yourbrand.net, yourbrand.co, and your-brand.com as defensive registrations, each one is a potential phishing vector.
Without authentication records, an attacker can send email as [email protected] and receivers have no basis to reject it. There's no SPF record to check, no DKIM key to verify, no DMARC policy to enforce.
This isn't theoretical. Spoofers actively scan for domains without DMARC records.
The Three Records You Need
For every domain that doesn't send email, add these DNS records:
1. Null SPF Record
Type: TXT
Host: @
Value: v=spf1 -all
This says "no server is authorized to send email for this domain." The -all mechanism (hardfail) explicitly denies all senders.
2. DMARC at p=reject
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=reject; rua=mailto:[email protected]
This tells receivers to reject any email claiming to be from this domain. Since no email should come from it, everything is unauthorized.
Include an rua= address so you can monitor for spoofing attempts.
3. Null MX Record (Optional but Recommended)
Type: MX
Host: @
Priority: 0
Value: .
RFC 7505 defines the null MX record. It tells other servers "this domain does not accept email." This prevents inbound email delivery, not just outbound spoofing.
Practitioner note: I set up null authentication for every domain a client owns during our initial engagement. Most businesses have 5-15 registered domains — their main brand, variations, old names, campaign domains. Each one without DMARC is an open door for phishing.
No Need for Gradual Rollout
For non-sending domains, skip the usual p=none to p=reject timeline. Since no legitimate email originates from these domains, there's nothing to break. Go straight to:
v=DMARC1; p=reject; sp=reject; rua=mailto:[email protected]
The sp=reject covers all subdomains too.
What About Subdomains?
If your main domain has DMARC with sp=reject, subdomains are covered. But if your main domain uses sp=none or doesn't specify sp=, each subdomain needs its own DMARC record or inherits the weaker policy.
For non-sending domains, set both p=reject and sp=reject to lock everything down.
Practitioner note: I once audited a company that had DMARC on their main domain but forgot about a staging subdomain. Attackers were sending phishing email from staging.theircompany.com — a domain that was perfectly valid-looking to recipients but had zero authentication.
Inventory Your Domains
Check all domains you own:
- Active sending domain — full authentication stack (SPF + DKIM + DMARC with gradual rollout)
- Non-sending domains — null SPF + DMARC p=reject
- Parked/defensive domains — null SPF + DMARC p=reject + null MX
- Expired or abandoned domains — renew them or risk spoofing
If you have multiple domains that need protection and want them all configured correctly, I can handle the full setup.
Sources
- RFC 7489: Domain-based Message Authentication (DMARC)
- RFC 7505: A "Null MX" No Service Resource Record
- CISA: Binding Operational Directive 18-01 (requires DMARC for federal domains)
- dmarcian: Protecting non-sending domains
v1.0 · April 2026
Frequently Asked Questions
Do I need DMARC for a domain that doesn't send email?
Yes. Without DMARC, anyone can send email pretending to be from your domain. A p=reject policy tells receivers to block all unauthorized email.
What records do I need for a non-sending domain?
Three records: SPF (v=spf1 -all), DMARC (v=DMARC1; p=reject), and optionally a null MX record (0 .). This blocks both outbound spoofing and inbound email.
Can someone spoof a domain that doesn't send email?
Absolutely. Spoofers prefer domains with no authentication records because there's no policy to block their messages.
Should I set p=reject directly for non-sending domains?
Yes. Since no legitimate email should come from this domain, there's no risk of blocking real mail. Go straight to p=reject.
What about parked domains?
Same rules apply. Parked domains, defensive registrations, old domains — any domain you own should have DMARC at p=reject if it doesn't send email.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.