All Collections
Learn about DMARC
What are parked domains and how to protect them using SPF, DKIM, DMARC and Null MX records?
What are parked domains and how to protect them using SPF, DKIM, DMARC and Null MX records?

Learn more about parked domains that do not send any email and how to protect them using SPF, DKIM and DMARC

Ivan Kovachev avatar
Written by Ivan Kovachev
Updated over a week ago

Understanding parked domains: What is a parked domain?

A parked domain is a registered domain name that remains dormant, unlinked to any online service such as a website or email hosting. Essentially, it's a domain name that has been acquired but is not presently in active use; rather, it is parked with the intention of being utilized in the future.

Parking and securing domains that are deceptively similar to your own is considered best practice so attackers cannot use them to pretend to be you. In terms of email, you ideally want to tell your receivers if emails coming from a domain that is similar to yours are legitimate or not.

In this article, we will assume that you have registered a domain that is not used to send emails.

In this case, you should not only protect your main domain which is used to send emails but you should also protect your parked domains by telling receivers that no emails should be originating from them and if any do originate to reject them.

Setting up SPF on your parked domain

In order to achieve this, all of your parked domains should have SPF records in DNS that have the following: TXT v=spf1 -all

This SPF record indicates that no email should originate from Any emails from this domain should be rejected.

The same should be done for subdomains as well. In case you have many subdomains you can use wildcards if your DNS allows:

* TXT v=spf1 -all

Setting up DMARC on your parked domain

Aside from SPF, you should also publish a DMARC record to indicate the policy for your parked domains but also for you to gain visibility if anyone is using those domains to send emails. You can do this by:

In the above case an email from should be rejected and aggregate and forensic reports will be sent to This assumes that the parked domain does not also receive emails and hence the different domain for the reports.

If you have multiple parked domains you can use a CNAME record to point to a single domain with a DMARC reject policy such as:

Setting up DKIM on your parked domain

You can also publish a DKIM record that indicates that no email is signed for a parked domain. You can do this by leaving the “p=” tag in DKIM empty. This is the same as saying that the public key used has been revoked and it is also the same as an email not being signed by DKIM at all. For example: TXT v=DKIM1; p=

You can also use a wildcard to indicate to recipients that any DKIM selector is revoked for your domain, as shown below:

* TXT “v=DKIM1; p=”.

This record indicates that any DKIM key has expired for the domain “”

Having a DKIM record is not necessary as the email will most likely be treated the same way as if it had no DKIM signature at all, but you can add it just in case as some receivers may actually treat it with more caution. 

To see how to use wildcards to protect your subdomains with DKIM, please click on the "Protecting Parked Domains" button in the next section. 

Creating a null MX record for your parked domain

To indicate that your domain does not accept email you should create a Null MX record, instead of just having no MX record at all. If your domain does not have an MX record, email delivery will be attempted at the A record of your domain. That is why it is important that if your domain has an A record, to create a Null MX record. 

Here is how to create a Null MX record. 

Create a DNS record of type MX, with a priority of 0 (highest priority) and a target containing a full stop "." as shown below.

Type: MX
Priority: 0
Target: .

For more information please click on the button below.

NOTE: If you are using OnDMARC to protect your main domains, you will have to also add your parked / inactive domains to the tool so that you receive DMARC reports for them as well.

To sign up for a free 14-day trial, please click on the button below.

Did this answer your question?