Disabling mail sending from your domain

I noticed that I was receiving some bounced email notifications from a domain I own (cloud.geek.nz) to host my blog. These notifications were all for spam messages spoofing the From address since I do not use that domain for email.

I decided to try setting a strict DMARC policy to see if DMARC-using mail servers (e.g. GMail) would then drop these spoofed emails without notifying me about it.

I started by setting this initial DMARC policy in DNS in order to monitor the change:

@ TXT v=spf1 -all
_dmarc TXT v=DMARC1; p=none; ruf=mailto:dmarc@fmarier.org; sp=none; aspf=s; fo=0:1:d:s;

Then I waited three weeks without receiving anything before updating the relevant DNS records to this final DMARC policy:

@ TXT v=spf1 -all
_dmarc TXT v=DMARC1; p=reject; sp=reject; aspf=s;

This policy states that nobody is allowed to send emails for this domain and that any incoming email claiming to be from this domain should be silently rejected.

I haven't noticed any bounce notifications for messages spoofing this domain in a while, so maybe it's working?

DKIM

Cloudflare suggests also including an invalid DKIM record:

*._domainkey TXT v=DKIM1; p=

and referring to it in the DMARC record via adkim=s:

_dmarc TXT v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;

I'm not sure why a mail server would correctly handle DKIM but not SPF since the former is more complicated. Maybe this is not really necessary and is merely a belt-and-suspender kind of approach.

Null MX

If you look at the MX record for example.com:

$ dig MX example.com
example.com.        86400   IN  MX  0 .

This odd-looking MX record is actually following RFC7505 and is the correct way to indicate that a domain doesn't accept incoming emails.

While this is the opposite of what I set out to do, the RFC suggests that some mail servers will refuse incoming emails claiming to be from domains with a Null MX record on the basis that legitimate email senders have valid return addresses.

This sounds like a good idea to add to a domain that isn't sending emails.

CAA record

A somewhat recent addition to the CAA DNS record allows domain owners to prevent certificates authorities from issuing S/MIME certificates for their domains. Not really critical for a domain that's not supposed to send mail at all, but it's very simple to setup, so may as well.

To do this, simply add the DNS record recommended in RFC 9495:

example.com.    86400   IN      CAA 0 issuemail ";"