Domains that don't send email are easy spoofing targets because they typically have no authentication records. Attackers use them to send phishing emails that appear legitimate. Protect non-sending domains by publishing a DMARC record at p=reject, an SPF record with no authorized senders (v=spf1 -all), and a null MX record. This takes five minutes and permanently blocks domain spoofing.
Why You Need DMARC Even If You Don't Send Email
Non-Sending Domains Are Spoofing Magnets
If your company owns example.com but also registered example.io, example.co, and exampleapp.com, those extra domains are sitting targets. Without DMARC, anyone can send email pretending to be [email protected] — and there's nothing to stop it.
Attackers know this. They specifically look for domains without authentication records because spoofing them requires zero effort.
The Three Records You Need
For every domain that doesn't send email, publish these DNS records:
SPF — declare no authorized senders:
Type: TXT
Host: @
Value: v=spf1 -all
DMARC — reject everything that fails:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=reject; sp=reject; rua=mailto:[email protected]
Null MX — explicitly declare no mail service:
Type: MX
Host: @
Priority: 0
Value: .
The null MX (RFC 7505) tells other servers this domain intentionally doesn't handle email. Not all servers respect it yet, but it's an additional signal.
Practitioner note: I audit domains for agencies that own 10-20 domains. Without exception, at least half have zero authentication records. It takes 15 minutes to lock down all of them, and it permanently eliminates a spoofing vector.
Why p=reject Is Safe Here
Normally, advancing to p=reject requires careful monitoring. Not here. If the domain doesn't send email, there's no legitimate email to break. Go straight to p=reject — no monitoring period needed.
The only exception: if you're not 100% certain the domain doesn't send email. A forgotten marketing tool, an old ticketing system, a developer using it for test emails — these would break. When in doubt, start at p=none for two weeks and check.
Don't Forget Subdomains
Set sp=reject in your DMARC record. Without it, attackers can still spoof anything.yourdomain.com. The sp= tag applies your policy to all subdomains.
Practitioner note: One client had their brand reputation damaged because an attacker spoofed their
.iodomain — which they'd registered defensively and never configured. A TXT record that takes 30 seconds to publish would have prevented it entirely.
Automate It
If you manage dozens of domains, script the DNS record creation through your registrar's API or DNS provider's API. Cloudflare, Route 53, and most providers support it. One script, all domains protected.
If you're managing multiple domains and want them all locked down properly, schedule an audit — I'll identify every unprotected domain in your portfolio.
Sources
- RFC 7505: A "Null MX" No Service Resource Record
- RFC 7489: DMARC Specification
- NCSC UK: Protecting Parked Domains
- Cisco Talos: Domain Spoofing Research
v1.0 · April 2026
Frequently Asked Questions
Do parked domains need DMARC?
Yes. Parked domains with no DMARC record can be spoofed freely. Attackers specifically target parked and non-sending domains because they're less likely to be monitored. Publish v=DMARC1; p=reject to block spoofing.
What DNS records should a non-sending domain have?
Three records: SPF (v=spf1 -all), DMARC (v=DMARC1; p=reject; rua=mailto:[email protected]), and optionally a null MX record (0 .) to explicitly declare the domain doesn't accept or send email.
Can I set DMARC to p=reject immediately on a non-sending domain?
Yes. Unlike sending domains, non-sending domains can skip p=none and p=quarantine entirely. Since no legitimate email should ever come from a non-sending domain, go straight to p=reject.
Do I need DKIM for a non-sending domain?
No. DKIM signs outbound messages, and a non-sending domain has none. SPF with -all and DMARC at p=reject are sufficient. Any email claiming DKIM from this domain is already fraudulent.
How often should I check DMARC reports for non-sending domains?
Review monthly. DMARC aggregate reports will show any spoofing attempts against your non-sending domains. If you see volume, it confirms the protection is working — those messages are being rejected by receiving servers.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.