Keep Null MX in addition to Cloudflare's TXT email security records?

user13857 · December 9, 2021, 5:28pm

My domain example.com does not send nor receive emails.

Cloudflare suggests a DNS configuration in order to prevent illegitimate email traffic (eg. spoofing), when a domain is not used to send emails:
https://www.cloudflare.com/fr-fr/learning/dns/dns-records/protect-domains-without-email/

That configuration is automatically created with the “Email Security DNS Wizard”, and looks like this:

example.com.               300  IN  TXT  "v=spf1 -all"
_dmarc.example.com.        300  IN  TXT  "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=****"
*._domainkey.example.com.  300  IN  TXT  "v=DKIM1; p="

However, that configuration does not include RFC7505 recommandation which is called “Null MX”.

Should I use Null MX in addition to Cloudflare recommandation ? Should I not ?

example.com.               300  IN  MX   0 .

michael · December 9, 2021, 5:35pm

Null MX does nothing to prevent spoofing. It is just to signal to mail senders that your domain does not receive email.

I did ask why the DNS wizard did not include them and was told:

We considered this, but came to the conclusion that not having a MX record at all has the same effect of adding a null MX record so in order to keep it simpler and spare the extra record we decided against including it in the restrictive records wizard section.

Personally, I use Null MX whenever I have domains that don’t need to receive email.

epic.network · December 10, 2021, 7:40pm

I, too use Null MX on my domains that do not receive email.

I also make vigorous use of the “sends no mail” SPF record. The referenced Cloudflare article is the first time I have seen a null DKIM suggested. Is there any benefit to publishing an empty DKIM? Doesn’t simply not having a matching DKIM record accomplish the same end result?

michael · December 10, 2021, 7:52pm

Probably the best reference is here:

epic.network · December 10, 2021, 7:54pm

I was just in the midst of replying to my own question when your reply notfication arrived. I also found that that the benefit of the null DKIM is that it serves to declare any matching selector as invalid. I guess I have a new RR to add to some zones.

system · December 13, 2021, 7:54pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to add a NULL MX record DNS & Network dns	3	8448	September 2, 2018
DNS Setup without Email records DNS & Network	7	2920	November 14, 2020
Email with no MX records DNS & Network	3	5031	January 15, 2020
Cloudflare does not support RFC 7505 (null MX) DNS & Network	9	3106	March 22, 2023
Email Panic Getting Started	9	2279	March 18, 2021

Keep Null MX in addition to Cloudflare's TXT email security records?

Related topics