I noticed that I was receiving some bounced email notifications from a
domain I own (cloud.geek.nz) to host my blog. These notifications were all
for spam messages spoofing the From address since I do not use that domain
for email.
I decided to try setting a strict DMARC policy to see if DMARC-using mail servers (e.g. GMail) would then drop these spoofed emails without notifying me about it.
I started by setting this initial DMARC policy in DNS in order to monitor the change:
@ TXT v=spf1 -all
_dmarc TXT v=DMARC1; p=none; ruf=mailto:dmarc@fmarier.org; sp=none; aspf=s; fo=0:1:d:s;
Then I waited three weeks without receiving anything before updating the relevant DNS records to this final DMARC policy:
@ TXT v=spf1 -all
_dmarc TXT v=DMARC1; p=reject; sp=reject; aspf=s;
This policy states that nobody is allowed to send emails for this domain and that any incoming email claiming to be from this domain should be silently rejected.
I haven't noticed any bounce notifications for messages spoofing this domain in a while, so maybe it's working?
DKIM
Cloudflare suggests also including an invalid DKIM record:
*._domainkey TXT v=DKIM1; p=
and referring to it in the DMARC record via adkim=s:
_dmarc TXT v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;
I'm not sure why a mail server would correctly handle DKIM but not SPF since the former is more complicated. Maybe this is not really necessary and is merely a belt-and-suspender kind of approach.
Null MX
If you look at the MX record for example.com:
$ dig MX example.com
example.com. 86400 IN MX 0 .
This odd-looking MX record is actually following
RFC7505 and is the correct
way to indicate that a domain doesn't accept incoming emails.
While this is the opposite of what I set out to do, the RFC suggests that
some mail servers will refuse incoming emails claiming to be from domains
with a Null MX record on the basis that legitimate email senders have
valid return addresses.
This sounds like a good idea to add to a domain that isn't sending emails.