We are running in a testing phase — please be patient and share your feedback.

Domain without email

For domains that never send email, publish three DNS records to prevent abuse: SPF with "-all", a wildcard DKIM at *._domainkey with an empty key, and a DMARC policy that enforces rejection.

Why protect a domain that doesn't send email

A domain without email is not safe by default. Without authentication records, anyone can send fraudulent messages on your behalf.

An unprotected domain is a weapon for attackers

A domain without SPF, DKIM, and DMARC has no defense against spoofing. An attacker can send email "from your domain" and recipients have no way to tell it's forged. Three DNS records are all it takes to prevent this.

Damaged reputation affects your entire project

When someone abuses your domain, it damages your sender reputation. The domain can end up on blacklists — affecting not just email deliverability but also website trustworthiness, SEO rankings, and brand perception.

Three records in 5 minutes

The solution is simple: publish v=spf1 -all, a DKIM wildcard with an empty key, and DMARC p=reject. No complex configuration, no ongoing adjustments. Enter your domain in the generator above to get tailored records.

Which domains need this

The following domain types are most frequently overlooked — and therefore most frequently abused.

Parked domains

Domains registered for future use, defensive registrations, or expired projects. Without DNS records, they are completely unprotected.

Redirected domains

Domains with HTTP redirects to a main website. Redirects handle only web traffic — email authentication must be configured separately.

Microsites & marketing domains

Domains for campaigns, landing pages, or product sites where the website is active but no emails are sent. Attackers can exploit brand trust.

Non-mail subdomains

Subdomains like cdn.company.com or static.company.com. Without their own DMARC, they inherit from the parent domain — but only if sp= is configured.

How an unprotected domain can be abused

Attacking an unprotected domain is surprisingly simple. The attacker doesn't need access to your server or DNS — they just need your domain to lack authentication records.

  1. Attacker finds a domain without protection. A quick DNS check reveals missing SPF and DMARC records — visible to anyone.
  2. Forges email from your domain. Sets the "From" header to invoice@your-domain.com and sends a phishing email to your customers, partners, or employees.
  3. Recipient sees no warning. Without a DMARC policy, the receiving server has no instruction to reject the email. The message lands in the inbox and looks legitimate.
  4. The damage is done. The victim clicks a link, enters credentials, or pays a fake invoice. Your domain ends up on blacklists and you deal with the consequences.
Tip: Check the current state of your domain with a complete analysis — it checks SPF, DKIM, and DMARC in one place. Learn more about these attacks in Spoofing and phishing.

Impact on domain reputation and your project

Domain abuse for spam or phishing has far-reaching consequences that extend well beyond email.

Email deliverability

If your domain lands on blacklists (Spamhaus, SURBL, DNSBL), even legitimate emails will have delivery problems — including when you start using the domain in the future. Cleaning up reputation takes weeks to months.

SEO & website visibility

Google Safe Browsing can flag a domain used for phishing as dangerous. Browsers display a warning instead of your website — and search engines lower your rankings.

Customer & partner trust

If your customers receive fraudulent emails from your domain, they lose trust in your brand. Rebuilding trust is far harder than publishing three preventive DNS records.

Legal & regulatory risks

The NIS2 directive and other regulations require securing email communications. An unprotected domain may be considered a failure to implement security measures. Learn more in NIS2 and email security.

What each record means

SPF: v=spf1 -all

This record declares: "this domain sends no email". The -all mechanism (hard fail) instructs receiving servers to reject all messages. More details in What is SPF.

DKIM: *._domainkey with empty key

A wildcard record *._domainkey with value v=DKIM1; p= effectively revokes all selectors. No DKIM signature will be treated as authorized, regardless of the selector used.

DMARC: p=reject; sp=reject

The p=reject and sp=reject policies instruct receivers to reject all email from the domain and its subdomains. Strict alignment (adkim=s; aspf=s) and pct=100 ensure full coverage. fo=1 requests detailed failure reports. More in How to set up DMARC.

Null MX (optional)

An MX record with value . (dot) per RFC 7505 explicitly states the domain does not accept email. Not mandatory but recommended — servers that support RFC 7505 won't attempt delivery.

FAQ

Do I need to protect a parked domain?
Absolutely. Parked domains are a favorite target for attackers precisely because no one monitors them. Publish v=spf1 -all, a DKIM wildcard, and DMARC p=reject — it takes just a few minutes and protects the domain.
What happens if I don't secure my domain?
Anyone can forge email from your domain (spoofing). Recipients have no way to distinguish a forgery from a legitimate message. The consequences can include financial loss, data theft, and damage to domain and brand reputation.
How quickly do DNS changes take effect?
It depends on TTL (Time to Live) at your DNS provider. Changes typically propagate within 1–4 hours, some providers within 24 hours. Verify your records using domain analysis.
Does damaged email reputation affect SEO?
Indirectly, yes. If a domain is abused for phishing, Google Safe Browsing can flag it as dangerous. Browsers then display a warning and search engines may lower the site's rankings. Additionally, loss of brand trustworthiness affects organic click-through rates.
What if the domain only redirects to another?
HTTP redirects handle only web traffic — they have no effect on email. A redirected domain needs its own SPF, DKIM, and DMARC records just like any other domain. Without them, it's vulnerable to spoofing.
Do I also need a Null MX record?
Null MX (RFC 7505) is not mandatory but recommended. It tells sending servers that the domain does not accept email. Add an MX record with priority 0 and value . (dot).
How do I know if someone is abusing my domain?
Set up DMARC with reporting (rua=) — you'll receive daily aggregate reports from receiving servers showing who sends from your domain and whether they pass authentication. Check "Enable monitoring" in the generator above and SPFmonitor will process the reports. Learn more in How to read DMARC reports.
Can I use these records for subdomains?
Yes, but each subdomain needs its own SPF and DKIM records. DMARC can be inherited from the parent domain via the sp=reject tag, but an explicit record on the subdomain is more reliable. Generate records for each subdomain separately.