Parked domains are registered domains that may or may not host a website and may or may not be used to send emails. Registering a deceptively similar domain to your own and securing it is considered best practice as attackers often use them to pretend to be you when targeting users and in turn damage your reputation. In terms of email you would ideally want to tell your receivers if emails coming from a domain that is similar to yours are legitimate or not.

In this article we will assume that you have registered a domain which is not used to send emails.

In this case you should not only protect your main domain which is used to send emails but you should also protect your parked domains by telling receivers that no emails should be originating from them and if any do originate to reject them.

SPF

In order to achieve this, all of your parked domains should have SPF records in DNS that have the following:

parked-domain.com TXT v=spf1 -all

This SPF record indicates that no email should originate from parked-domain.com. Any emails from this domain should be rejected.

The same should be done for subdomains as well. In case you have many subdomains you can use wildcards if your DNS allows:

*.parked-domain.com TXT v=spf1 -all

DMARC

Aside from SPF you should also publish a DMARC record to indicate the policy for your parked domains but also for you to gain visibility if anyone is using those domains to send emails. You can do this by:

_dmarc.parked-domain.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected] 

In the above case an email from parked-domain.com should be rejected and aggregate and forensic reports will be sent to ondmarc.com. This assumes that the parked domain does not also receive emails and hence the different domain for the reports.

If you have multiple parked domains you can use a CNAME record to point to a single domain with a DMARC reject policy such as:

dmarc.example.com CNAME _dmarc.parked.example.net. 

_dmarc.parked.example.net TXT v=DMARC1; p=reject; rua=mailto:[email protected] 

ruf=mailto:[email protected]

DKIM

You can also publish a DKIM record which indicates that no email is signed for a parked domain. You can do this by leaving the “p=” tag in DKIM empty. This is the same as saying that the public key used has been revoked and it is also the same as a an email not being signed by DKIM at all. For example:

parked-domain.com TXT v=DKIM1; p=

Having a DKIM record is not necessary as the email will most likely be treated the same as if it had not DKIM signature at all, but you can add it just in case as some receivers may actually treat it with more caution. 

To see how to use wildcards to protect your domains with DKIM, please see the attached PDF document. 

MX

To indicate that your domain does no accept email you should create a Null MX record, instead of just having no MX record at all. If your domain does not have an MX record, email delivery will be attempted at the A record of your domain. That is why it is important that if your domain has an A record, to create a Null MX record. 

Here is how to create a Null MX record. 

Create a DNS record of type MX, with a priority of 0 (highest priority) and a host name of "." like shown below.

yourdomain.com MX “0 .

NOTE: If you are using OnDMARC for your main domains, you will have to also add your parked domains to the tool so that you receive reporting for them as well. 

For more information please click on the button below.

Did this answer your question?