Categories

Account Administration
4
cPanel - Control Panel
85
Domain Names
33
Email
103
Google Workspace
7
Search Engine Optimisation
7
Terms and Policies
13
Tools
8
Website Management
84
WordPress
63
WordPress User Guide
24

  Categories

  Tag Cloud

Backup cPanel Restore FTP WordPress Video Email Cron WP-CLI DNS Nameservers Roundcube Google Workspace Password Domain Names Plugins Thunderbird Security Web Hosting htaccess php Portal Elementor GeneratePress Linux AlmaLinux Social Media SPF Cloudflare Database DMARC SSH Troubleshooting iOS DKIM

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket
Knowledgebase Banner - WordPress Web Hosting
SPF, Email, DKIM, DMARC 1

How to Stop Your Domain from Sending Emails (Securing Parked Domains)

If you own a domain that you use strictly for web hosting, redirects, or simply have "parked" for future use, it is highly recommended that you configure it so it cannot send emails.

Why? Because if you don't explicitly tell the internet that your domain doesn't send mail, cybercriminals can easily forge (spoof) your domain name to send spam and phishing emails. This can damage your brand's reputation and contribute to global spam problems.

To lock down your domain, you need to configure three specific DNS (Domain Name System) records: SPF, DKIM, and DMARC.

Here is your step-by-step guide to configuring them for a non-sending domain.

1. SPF (Sender Policy Framework)

What it is: SPF is a DNS record that lists the IP addresses and servers that are allowed to send email on behalf of your domain.
The Goal: We want to tell the world that zero servers are allowed to send email for this domain.

How to configure it:

You need to create a TXT record in your DNS settings that strictly rejects all sending attempts.

  1. Log into your domain registrar or DNS provider.
  2. Navigate to your DNS Management / Zone Editor.
  3. Add a new TXT record.
  4. Set the Name/Host to @ (which represents your root domain, e.g., yourdomain.com).
  5. Set the Value to the following: 
    v=spf1 -all
    Explanation: v=spf1 identifies the record type. -all (with a minus sign) is a strict fail, meaning "reject anything claiming to be from this domain."

2. DKIM (DomainKeys Identified Mail)

What it is: DKIM acts as a digital cryptographic signature added to outgoing emails, proving the email was actually authorized by the domain owner.
The Goal: We want to publish an empty public key, which effectively revokes any keys that a spammer might try to fake.

How to configure it:

You need to create a wildcard TXT record that neutralizes any DKIM signature checks.

  1. In your DNS settings, add a new TXT record.
  2. Set the Name/Host to *._domainkey (the asterisk acts as a wildcard for any selector a spammer might invent).
  3. Set the Value to the following: 
    v=DKIM1; p=
    Explanation: v=DKIM1 identifies it as a DKIM record. p= indicates that the public key is empty/revoked.

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)

What it is: DMARC is the boss of SPF and DKIM. It tells receiving mail servers exactly what to do if an email fails the SPF or DKIM checks.
The Goal: We want to instruct all receiving mail servers to outright reject any email claiming to be from your domain, since we know we aren't sending any.

How to configure it:

You need to create a TXT record for DMARC that enforces a strict rejection policy.

  1. In your DNS settings, add a new TXT record.
  2. Set the Name/Host to _dmarc (this will automatically resolve to _dmarc.yourdomain.com).
  3. Set the Value to the following: 
    v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;
    Explanation:
    • v=DMARC1: Identifies the DMARC protocol.
    • p=reject: Tells the receiver to reject emails failing checks for the main domain.
    • sp=reject: Tells the receiver to reject emails failing checks for any subdomains.
    • adkim=s & aspf=s: Enforces "strict" alignment for both DKIM and SPF.

(Optional: If you want to receive reports when someone tries to spoof your domain, you can add rua=mailto:[email protected]; to the end of the DMARC value).

Bonus: The "Null" MX Record

While SPF, DKIM, and DMARC prevent your domain from sending emails, you should also prevent it from receiving them.

Mail Exchange (MX) records tell the internet where to deliver incoming mail. By setting a "Null MX" record, you signal that your domain does not accept email at all.

How to configure it:

  1. In your DNS settings, add a new MX record.
  2. Set the Name/Host to @.
  3. Set the Priority to 0.
  4. Set the Value/Destination to . (just a single period).

Summary Checklist

To fully lock down your non-sending domain, ensure your DNS looks like this:

Type Name / Host Value / Target
TXT @ v=spf1 -all
TXT *._domainkey v=DKIM1; p=
TXT _dmarc v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;
MX @ Priority: 0, Value: .

Note: DNS changes can take up to 48 hours to fully propagate across the internet, though you will often see them take effect within a few hours.

 

Was this answer helpful?

Related Articles

I am getting a 451 Message temporarily deferred message when sending to Yahoo or BT - What does this mean? Yahoo have extremely strict criteria for accepting email and often defer e-mail if they think that it might be spam or if they are busy - they call... Why is my mail client downloading duplicates of existing emails? Seeing Double? Why Your Mail Client Might Download Duplicate Emails Ever noticed your inbox overflowing with copies of the same email? This can be... How do I recover deleted mail in Exchange? To recover mail that has been removed from the 'Deleted Items' folder in your mailbox, follow the steps below. Outlook: 1) Select... I cannot send email, but I can receive it. Can't Send Email But Can Receive? Here's How to Fix It! Feeling frustrated because you can receive emails but can't send them? Don't worry, this... Why does my email bounce with 550 relay not permitted? This usually happens because the nameservers on the affected domain have been changed to make the domain work with our servers, but thedomain...

One email a month. Endless business benefits.

Don't miss out on WMTWWFY — the newsletter that keeps your website fast, safe, and visible.

« Back

  Tag Cloud

Backup cPanel Restore FTP WordPress Video Email Cron WP-CLI DNS Nameservers Roundcube Google Workspace Password Domain Names Plugins Thunderbird Security Web Hosting htaccess php Portal Elementor GeneratePress Linux AlmaLinux Social Media SPF Cloudflare Database DMARC SSH Troubleshooting iOS DKIM

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket
Spinner
aluminium-anthropoid Security Check