Domains that do not send email — parked domains, defensively-registered variations, old brand names, internal-only domains — are prime targets for spoofing. This tutorial walks through the three DNS records that lock them down against abuse: null SPF, null DKIM, and restrictive DMARC.
Every domain you own is a potential spoofing target. Attackers enumerate your portfolio — common misspellings, alternate TLDs, old brand names from acquisitions, defensive registrations — and probe for undefended ones. A parked old-brand.co.uk from an acquisition five years ago is as spoofable as your main domain if it has no authentication.
The fix is three DNS records that explicitly declare: no email should ever come from this domain, and any that claims to is forged.
| Record | Name | Purpose |
|---|---|---|
| Null SPF | domain (root) | No IP authorised to send as this domain |
| Null DKIM | *._domainkey.domain | No DKIM selector valid for this domain |
| Restrictive DMARC | _dmarc.domain | Reject any mail failing authentication |
An SPF record with no authorised mechanisms:
parked.co.uk. IN TXT "v=spf1 -all"Meaning: no IP is authorised to send email as parked.co.uk; any message claiming to is explicitly not authorised (hard fail). Receivers respecting SPF reject the message.
This single record costs zero DNS lookups and is the simplest possible SPF — two tokens plus the terminator.
A wildcard DKIM record that declares no key valid:
*._domainkey.parked.co.uk. IN TXT "v=DKIM1; p="The empty p= means "the key for this selector is revoked". Any message claiming a DKIM signature from any selector on this domain fails verification.
The wildcard covers all possible selectors without having to publish each individually.
A DMARC record requiring reject and strict alignment:
_dmarc.parked.co.uk. IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:[email protected]"Fields:
p=reject — reject any mail failing DMARC alignment.sp=reject — same for any subdomain.adkim=s; aspf=s — strict alignment (no relaxed matching).rua=mailto:... — aggregate reports so you see any spoofing attempts.Point rua at a mailbox on an actively-monitored domain (not the parked one — it does not receive mail). Reports then reveal when attackers probe the parked domain.
After publishing, verify with command-line checks:
# Null SPF
dig TXT parked.co.uk
# Expected: "v=spf1 -all"
# Null DKIM wildcard
dig TXT any._domainkey.parked.co.uk
# Expected: "v=DKIM1; p="
# Restrictive DMARC
dig TXT _dmarc.parked.co.uk
# Expected: "v=DMARC1; p=reject; ..."Alternatively, use MXToolbox or Hardenize to validate the whole lockdown at once.
Testing spoofing resistance: send a test message from any external domain with From: [email protected] to a Gmail account. Check the received message — it should be rejected outright or land in spam with DMARC fail markings.
UK businesses accumulate domains through acquisitions, rebrands and defensive registrations. Every inherited domain needs lockdown.
UK businesses often register common misspellings (firm-co-uk.com, firmco.uk) to prevent attackers from using them. These need lockdown as non-sending domains.
Old marketing campaigns may have used subdomains that are no longer active. Retire them properly with lockdown records.
Subdomains used internally (VPN, staff intranet) but never for external email. Lockdown prevents external spoofing.
Domains registered for future use that are not yet deployed. Lock down until they are put into real service.
Q: Can I have a single template for all my parked domains?
A: Yes. The same three records apply to every non-sending domain. A DNS automation script or infrastructure-as-code deployment can apply the template to any domain consistently.
Q: What happens if I actually need to send mail from a locked-down domain later?
A: Reverse the lockdown before sending. Update SPF with real senders, configure DKIM with real selectors and keys, progress DMARC from reject to a rollout-appropriate level. Takes the usual DMARC rollout time.
Q: Do the lockdown records need DNSSEC?
A: DNSSEC strengthens the protection but is not required. Lockdown records work without DNSSEC; they just become slightly more spoofable by attackers able to forge DNS.
Q: Will lockdown records cause any false positives for legitimate inbound mail?
A: No. Lockdown is about outbound — authenticating mail claiming to come from the domain. Inbound mail (delivery to the domain) is governed by MX, not lockdown records.
Q: Can I skip the DKIM null record?
A: Null DKIM is optional but recommended. Without it, an attacker could try to fake a DKIM-signed message claiming to be from the domain; the null DKIM ensures no signature validates.
Q: Can I use the same rua mailbox for all my locked-down domains?
A: Yes. One mailbox receives reports for all of them. A processing service aggregates by domain in its dashboard.
Q: How much does this cost?
A: Just DNS publication — effectively free. No additional records incur charges at typical UK DNS providers.
Q: Does locking down affect the domain's web traffic?
A: No. Lockdown records govern email only (SPF, DKIM, DMARC). Web hosting (A records, web server) is unaffected.
Q: Can I use v=spf1 ~all instead of -all for non-sending domains?
A: Softfail (~all) is weaker. Use -all for non-sending domains — you want explicit rejection, not "probably not authorised".
Q: What if I own hundreds of defensive-registration domains?
A: Automate. Use a DNS provider API or infrastructure-as-code tool (Terraform, Pulumi) to apply the template to every domain. Saves time at scale.
Q: Will the DMARC rua receive many reports for parked domains?
A: Varies. Well-known brand parks receive hundreds daily (attackers spoof them constantly). Obscure defensive registrations rarely see any. Monitor but do not be alarmed by volume.
Q: What does NCSC recommend for non-sending UK public sector domains?
A: Lockdown records exactly as described. NCSC Mail Check monitors compliance.
Q: Is the lockdown different for parent and subdomain?
A: Same records, published at each level that matters. For a parent with sp=reject, subdomains without their own DMARC inherit; but publishing per-subdomain makes the lockdown explicit.