Parked domains are registered domains that may or may not host a website and may or may not be used to send emails. Registering a deceptively similar domain to your own and securing it is considered best practice as attackers often use them to pretend to be you when targeting users and in turn damage your reputation. In terms of email you would ideally want to tell your receivers if emails coming from a domain that is similar to yours are legitimate or not.
In this article we will assume that you have registered a domain which is not used to send emails.
In this case you should not only protect your main domain which is used to send emails but you should also protect your parked domains by telling receivers that no emails should be originating from them and if any do originate to reject them.
SPF
In order to achieve this, all of your parked domains should have SPF records in DNS that have the following:
parked-domain.com TXT v=spf1 -all
This SPF record indicates that no email should originate from parked-domain.com. Any emails from this domain should be rejected.
The same should be done for subdomains as well. In case you have many subdomains you can use wildcards if your DNS allows:
*.parked-domain.com TXT v=spf1 -all
DMARC
Aside from SPF you should also publish a DMARC record to indicate the policy for your parked domains but also for you to gain visibility if anyone is using those domains to send emails. You can do this by:
_dmarc.parked-domain.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]
In the above case an email from parked-domain.com should be rejected and aggregate and forensic reports will be sent to ondmarc.com. This assumes that the parked domain does not also receive emails and hence the different domain for the reports.
If you have multiple parked domains you can use a CNAME record to point to a single domain with a DMARC reject policy such as:
_dmarc.parked.example.net TXT v=DMARC1; p=reject; rua=mailto:[email protected]
DKIM
You can also publish a DKIM record which indicates that no email is signed for a parked domain. You can do this by leaving the “p=” tag in DKIM empty. This is the same as saying that the public key used has been revoked and it is also the same as an email not being signed by DKIM at all. For example:
selector1._domainkey.parked-domain.com TXT v=DKIM1; p=
You can also use a wildcard to indicate to recipients that any DKIM selector is revoked for your domain, as shown below:
*._domainkey.parked-domain.com TXT “v=DKIM1; p=”.
This record indicates that any DKIM key has expired for the domain “parked-domain.com.”
Having a DKIM record is not necessary as the email will most likely be treated the same way as if it had no DKIM signature at all, but you can add it just in case as some receivers may actually treat it with more caution.
To see how to use wildcards to protect your subdomains with DKIM, please click on the "Protecting Parked Domains" button in the next section.
MX
To indicate that your domain does no accept email you should create a Null MX record, instead of just having no MX record at all. If your domain does not have an MX record, email delivery will be attempted at the A record of your domain. That is why it is important that if your domain has an A record, to create a Null MX record.
Here is how to create a Null MX record.
Create a DNS record of type MX, with a priority of 0 (highest priority) and a target containing a full stop "." as shown below.
Type: MX
Priority: 0
Target: .
For more information please click on the button below.
NOTE: If you are using OnDMARC to protect your main domains, you will have to also add your parked / inactive domains to the tool so that you receive DMARC reports for them as well.
To sign up to a free 14 days trial, please click on the button below.