We are running in a testing phase — please be patient and share your feedback.

Domain without email

For domains that never send email, publish three DNS records to prevent abuse: SPF with “-all”, a wildcard DKIM at *._domainkey with an empty key, and a DMARC policy that enforces rejection.
Why these settings
  • SPF: v=spf1 -all declares the domain does not send; receivers reject unauthorized mail.
  • DKIM: a wildcard *._domainkey TXT v=DKIM1; p= revokes all selectors so no DKIM signature is treated as authorized.
  • DMARC: p=reject; sp=reject; adkim=s; aspf=s; pct=100; fo=1 enforces rejection, strict alignment, and requests detailed failure reports.
  • MX record: Not created (per request). If you have a legacy MX, consider removing it.
Read the source article