Keep Null MX in addition to Cloudflare's TXT email security records?

My domain does not send nor receive emails.

Cloudflare suggests a DNS configuration in order to prevent illegitimate email traffic (eg. spoofing), when a domain is not used to send emails:

That configuration is automatically created with the “Email Security DNS Wizard”, and looks like this:               300  IN  TXT  "v=spf1 -all"        300  IN  TXT  "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=****"
*  300  IN  TXT  "v=DKIM1; p="

However, that configuration does not include RFC7505 recommandation which is called “Null MX”.

Should I use Null MX in addition to Cloudflare recommandation ? Should I not ?               300  IN  MX   0 .

Null MX does nothing to prevent spoofing. It is just to signal to mail senders that your domain does not receive email.

I did ask why the DNS wizard did not include them and was told:

We considered this, but came to the conclusion that not having a MX record at all has the same effect of adding a null MX record so in order to keep it simpler and spare the extra record we decided against including it in the restrictive records wizard section.

Personally, I use Null MX whenever I have domains that don’t need to receive email.


I, too use Null MX on my domains that do not receive email.

I also make vigorous use of the “sends no mail” SPF record. The referenced Cloudflare article is the first time I have seen a null DKIM suggested. Is there any benefit to publishing an empty DKIM? Doesn’t simply not having a matching DKIM record accomplish the same end result?

1 Like

Probably the best reference is here:


I was just in the midst of replying to my own question when your reply notfication arrived. I also found that that the benefit of the null DKIM is that it serves to declare any matching selector as invalid. I guess I have a new RR to add to some zones. :grin:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.