From bb6a01d31972e9b13fc2d4ae9d22dea0e35ffa88 Mon Sep 17 00:00:00 2001 From: Dennis Baaten Date: Wed, 27 May 2020 11:21:20 +0200 Subject: [PATCH] parked domain update --- SPF-how-to.md | 2 +- parked-domain-how-to.md | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/SPF-how-to.md b/SPF-how-to.md index 3eba9c2..6958749 100644 --- a/SPF-how-to.md +++ b/SPF-how-to.md @@ -28,7 +28,7 @@ Our current e-mail infrastructure was originally designed for any mail sending h * The sender address shown to the user ("RFC5322.From") is not used when authenticating. SPF uses the invisible "RFC5321.MailFrom" header. Combining SPF with DMARC removes this disadvantage. * E-mail forwarding is not supported, since the e-mail is often forwarded by another e-mail server. * SPF does not work between domains that use the same e-mail server. -* Parked domains should be explicitly configured to not use e-mail. For SPF this is done with an empty policy and a hard fail: "v=spf1 –all". +* Parked domains should be explicitly configured to not use e-mail. For SPF this is done with an empty policy (not mentioning any ip-adresses or hostnames which are allowed to send mail) and a hard fail: "v=spf1 –all". * When processing incoming mail we advise to favor a DMARC policy over an SPF policy. Do not configure SPF rejection to go into effect early in handling, but take full advantage of the enhancements DMARC is offering. A message might still pass based on DKIM. * At the same time, be aware that some operaters still allow a hard fail (-all) to go into effect early in handling and skip DMARC operations. diff --git a/parked-domain-how-to.md b/parked-domain-how-to.md index 9d2deaf..53c7d06 100644 --- a/parked-domain-how-to.md +++ b/parked-domain-how-to.md @@ -1,3 +1,14 @@ +- [Introduction](#introduction) +- [What is a parked domain?](#what-is-a-parked-domain-) + * [Domain without e-mail](#domain-without-e-mail) + + [Null MX](#null-mx) + + [DMARC](#dmarc) + + [DKIM](#dkim) + + [SPF](#spf) + * [Domain without a website](#domain-without-a-website) + +Table of contents generated with markdown-toc + # Introduction This how-to is created by the Dutch Internet Standards Platform (the organization behind [internet.nl](https://internet.nl)) and is meant to provide practical information and guidance on explicitly configuring a parked domain not to use e-mail. @@ -18,10 +29,12 @@ Set DMARC policy to reject mails, but allow reporting to take place. This helps `_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:rua@example.nl; ruf=mailto:ruf@example.nl` ### DKIM +When used with a wildcard selector, setting an empty public key indicates that all previously used keys are revoked and must be considered unreliable. The owner of a domain can also use this to explicitly signal that a domain is not configured to use e-mail. See our [DKIM how-to](https://github.com/internetstandards/toolbox-wiki/blob/master/DKIM-how-to.md) for more information. `*._domainkey IN TXT "v=DKIM1; p="` ### SPF +Set an an empty policy (not mentioning any ip-adresses or hostnames which are allowed to send mail) and a hard fail. `example.nl IN TXT "v=spf1 –all"`