Block All Outgoing Emails from a Specific Domain
If you have a domain that you do not use for sending emails, you can prevent others from misusing it by setting three specific DNS records. These records will effectively block any unauthorized email activity, protecting your domain from abuse.
| subdomain | type | content |
|---|---|---|
| _dmarc | TXT | v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s |
| *._domainkey | TXT | v=DKIM1; p= |
| @ | TXT | v=spf1 -all |
DMARC Record Explained
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The DMARC record is published in the DNS records and specifies how mail receivers should handle emails that don’t pass DMARC checks. The record here specifies:
v=DMARC1: This indicates the version of DMARC being used.p=reject: This policy tells the receiving email servers to reject emails that fail DMARC authentication.sp=reject: This is the policy for subdomains, also set to reject.adkim=s: This specifies how strictly DKIM (DomainKeys Identified Mail) alignment is checked. s means strict alignment.aspf=s: This specifies how strictly SPF (Sender Policy Framework) alignment is checked, with s also indicating strict alignment.
DKIM Record (*._domainkey)
DKIM provides a way to validate a domain name identity that is associated with a message through cryptographic authentication. The record here starts to define a DKIM record for the domain, which is incomplete as indicated by p= without a public key. Normally, this field should contain a public key that corresponds to a private key used by the sending server to sign emails. The *._domainkey suggests a wildcard DKIM record, potentially applying to multiple subdomains, but without the actual key, it’s not valid.
SPF Record (@)
The SPF record helps to prevent spammers from sending messages with forged From addresses at your domain. The @ symbol represents the root domain itself. The record specifies:
v=spf1: This indicates the version of SPF being used.-all: This policy indicates that no servers are authorized to send email on behalf of the domain, effectively blocking all email sending unless other records specify otherwise.