SPF Record to block any mail sends

I use CF for one of my domains and I got an email with sender identified as that domain. That domain does not send any email, at all.

I think I can add SPF txt record but I want to get it right.

All I need to add is “v=spf1 -all” as SPF record correct?


That’s what mine look like.


You may also want a DMARC record that looks like this:

Name: _dmarc
Type: TXT
Data: v=DMARC1; p=reject;

This tells receiving servers to expect all messages to be authenticated, and otherwise messages should be rejected. Since you haven’t also configured an authentication mechanism, by definition all messages will fail and therefore should be candidates for rejection.


The authoritative guide is probably the M3AAWG Protecting Parked Domains Best Common Practices

example.com. TXT "v=spf1 -all"
*.example.com. TXT "v=spf1 -all"
*.example.com. TXT "v=DKIM1; p="
_dmarc.example.com. TXT "v=DMARC1; p=reject;
rua=mailto:[email protected]; ruf=mailto:[email protected]"
example.com._report._dmarc.example.net TXT "v=DMARC1"

If the domain does not receive email, then add these:

example.com. MX 0 .
www.example.com. MX 0 .

Update the example domains for your own domains, and your own DMARC reporting endpoint.


If there domain is fully parked. It might still be receiving mail, so the MX records should be carefully considered.

Also the rua/ruf should only be supplied if anyone is doing anything with the data and should not literally use the example.net domain.

1 Like