How do I set up DMARC for a parked domain that never sends email?
For a domain that never sends email, the answer is the same on every authoritative source: publish a DMARC policy of p=reject with strict alignment, an SPF record that authorises nobody, and either no DKIM record or an explicit revocation record. Add a NULL MX record to declare that the domain does not accept mail either. This combination removes every authentication path an attacker could exploit.
The minimum DNS to publish on a non-sending domain is:
example.com. IN MX 0 . example.com. IN TXT "v=spf1 -all" _dmarc.example.com. IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:dmarc@your-monitor.example;"
The 0 . in the MX is a NULL MX as defined in RFC 7505 §3 (preference 0, exchange a single zero-length label). Receiving servers that see it should reject mail with SMTP reply 556 and enhanced status 5.1.10 (RFC 7505 §4). The SPF record uses -all (Fail), defined in RFC 7208 §8.4 as “an explicit statement that the client is not authorised to use the domain in the given identity” (this is what most operators call “hard fail”).
A practical caveat: a few DNS providers historically rejected a bare dot as the MX target. If your DNS UI refuses 0 ., try 0 . with an explicit trailing dot, or contact support. Cloudflare, Route 53, Azure DNS, Google Cloud DNS and most managed DNS services accept it today.
How do I redirect a parked domain to reject all mail?
You do not redirect a parked domain to a separate “reject mailbox”. You publish DNS records that tell the rest of the internet not to send mail there in the first place, and to treat any message claiming to be from there as forged. The four records below cover every authentication path attackers typically abuse.
| Record | Value | What it does |
|---|---|---|
| MX | 0 . | NULL MX (RFC 7505). Receiving servers reject inbound mail with SMTP 556 / 5.1.10. |
| TXT | v=spf1 -all | SPF Fail (RFC 7208). No host is authorised to send as the domain. |
| TXT (_dmarc) | v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:... | DMARC reject with strict alignment for both DKIM and SPF (RFC 7489). Receivers reject anything failing alignment, which on a non-sending domain is everything. |
| DKIM (optional) | *._domainkey TXT "v=DKIM1; p=" | Wildcard revocation: per RFC 6376 §3.6.1 an empty p= means the key has been revoked. Defence in depth: the M3AAWG BCP's primary recommendation is to publish no DKIM record at all on a parked domain. |
Add a single belt-and-braces extra if you also want to lock down inbound TLS posture: an MTA-STS policy of mode: enforce with no MX entries documents that this domain has no inbound mail at all.
Why p=reject and not p=none for a non-sending domain?
For an active sending domain we tell people to start at p=none and only move to p=reject once aggregate reports show that legitimate mail aligns. On a non-sending domain that's the wrong advice. There is no legitimate mail flow to break, so there is no reason to monitor first. Going straight to p=reject is the correct default, and it is what NCSC and M3AAWG both recommend for parked domains.
See the quarantine vs reject guide for the same decision applied to active domains.
Why include sp=reject if I already set p=reject?
RFC 7489 §6.3 says that if sp= is absent, receivers MUST apply p= to subdomains. So technically p=reject alone covers subdomains too. We recommend setting sp=reject anyway because it's explicit, it survives anyone copying the record into a tool that splits the tags, and it documents intent for the next admin who reads the record. That's also how ShieldMarc's DMARC Checker scores it: a record with sp= weaker than p= is flagged as a separate control failure.
Should I publish a DKIM record on a parked domain?
The M3AAWG Parked Domains BCP (June 2022) recommends publishing no DKIM record at all on a non-sending domain. With no DKIM key in DNS, any signature claiming to be from your domain will fail verification automatically because the verifier cannot retrieve a public key. That is the simplest and lowest-maintenance option.
Some operators add a wildcard DKIM revocation record at *._domainkey.example.com with value v=DKIM1; p= for defence in depth. RFC 6376 §3.6.1 states that an empty p= value means the key has been revoked, so any selector an attacker tries to assert resolves to an explicit revocation. This is a community technique, not a M3AAWG mandate.
Do I need MX records at all for a parked domain?
Yes, but only one: the NULL MX. If you publish no MX records, receivers fall back to the A or AAAA record of the bare domain ( RFC 5321 §5.1), which means anyone hosting a website on the parked domain could end up with surprise inbound SMTP. The NULL MX short-circuits that and gives senders an unambiguous machine readable refusal.
Where else can I read the official guidance?
Authoritative pages worth bookmarking:
- NCSC: Protecting parked domains for the UK public sector
- GOV.UK: Protect domains that don't send email
- M3AAWG: Protecting Parked Domains, Best Common Practices (June 2022)
- Microsoft Learn: DMARC for Microsoft Online Email Routing Address (MOERA) and parked domains
- Google Workspace Admin Help: Set up DMARC (the canonical
adkim=s; aspf=sguidance also applies to non-senders)
Verify your parked-domain setup in one click
Run a free Security Grade against the parked domain. The scan reports the NULL MX, SPF -all, DMARC p= / sp= alignment, DKIM key publication state and any DNSSEC or CAA gaps, and tells you exactly which record is missing or weaker than recommended. No account required.
For continuous monitoring across many parked domains at once, ShieldMarc's MSP plan groups TLD variants of one brand into a single domain slot, so a brand with .com, .co.uk and .org parked variants doesn't triple your bill.