SPF Record to block any mail sends

I use CF for one of my domains and I got an email with sender identified as that domain. That domain does not send any email, at all.

I think I can add SPF txt record but I want to get it right.

All I need to add is “v=spf1 -all” as SPF record correct?

Craig

That’s what mine look like.

2 Likes

You may also want a DMARC record that looks like this:

Name: _dmarc
Type: TXT
Data: v=DMARC1; p=reject;

This tells receiving servers to expect all messages to be authenticated, and otherwise messages should be rejected. Since you haven’t also configured an authentication mechanism, by definition all messages will fail and therefore should be candidates for rejection.

3 Likes

The authoritative guide is probably the M3AAWG Protecting Parked Domains Best Common Practices

example.com. TXT "v=spf1 -all"
*.example.com. TXT "v=spf1 -all"
*.example.com. TXT "v=DKIM1; p="
_dmarc.example.com. TXT "v=DMARC1; p=reject;
rua=mailto:[email protected]; ruf=mailto:[email protected]"
example.com._report._dmarc.example.net TXT "v=DMARC1"

If the domain does not receive email, then add these:

example.com. MX 0 .
www.example.com. MX 0 .

Update the example domains for your own domains, and your own DMARC reporting endpoint.

2 Likes

If there domain is fully parked. It might still be receiving mail, so the MX records should be carefully considered.

Also the rua/ruf should only be supplied if anyone is doing anything with the data and should not literally use the example.net domain.

1 Like