Hacker News new | past | comments | ask | show | jobs | submit login
DNS settings to avoid email spoofing and phishing for unused domain (cyberciti.biz)
25 points by alexzeitler 11 months ago | hide | past | favorite | 4 comments



This is a really long winded article clearly for SEO, here are the relevant records you need if you don't intended to send mail:

   example.com. IN MX 0 .
   example.com. IN SPF "v=spf1 -all"
   _dmarc.example.com. IN TXT "v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s"
   *._domainkey.example.com. IN TXT "v=DKIM1; p="
Additionally if you don't need SSL certs

   example.com. IN CAA 0 issue ";"
   example.com. IN CAA 0 issuewild ";"
   example.com. IN CAA 0 iodef "mailto:your_email@example.net"


It’s a good idea try to understand what you’re putting in your DNS zone so it is a good idea read an article first but I would recommend this one: https://www.ncsc.gov.uk/blog-post/protecting-parked-domains


And DNS BIMI record too.


Yet another DNS record required if NOT hosting a mail server: the TXT record for a properly disabled BIMI must look like this:

    default._bimi.example.test.  TXT  "v=BIMI1; l=; a=;"
Much in the same way as SPF, Null MX, and DKIM being forced as disabled, you would not want other senders to mimic your logo (domain name) in other recipients’ mail client apps.

https://egbert.net/blog/articles/smtp-bimi-howto.html




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: