On Dec 10, 2013, at 11:39 AM, John Levine <[email protected]> wrote: >> Suggest following this thread from 2007. >> http://mipassoc.org/pipermail/ietf-dkim/2007q2/007663.html > > That's the null MX proposal. I resuscitated Mark Delany's draft in > July, and I suppose I might nudge Murray to see if appsawg would > accept it, but it's a separate issue. > > For DMARC, what advice can we offer beyond publishing SPF -al and DKIM > p=reject? (Normally I'm not a big fan of p=reject, but this is a > place where it's clearly appropriate.) >
I propose to add something along these lines in the DMARC FAQ. I have parked domains that do not send emails, how can I protect them? First create a DMARC record on your main domain (example.com) for all your parked domains: _dmarc.parked.example.com TXT "v=DMARC1; p=reject; rua= mailto:[email protected];"; If example.net is a parked domain you can then protect it this way: _dmarc.example.net CNAME _dmarc.parked.example.com example.net TXT "v=spf1 -all" *.example.net TXT "v=spf1 -all" The CNAME allows you to control in one place all your parked domains. If you want, for instance, to start receiving failure reports for all your parked domains, you just need to update one DNS record. In the example above the record becomes: _dmarc.parked.example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected];"; This will update all the domains using this CNAME. The wildcard on the TXT record for SPF will protect any subdomain or host under this domain. To be able to receive reports for example.net at the mailboxes at example.com you must create a report record: example.net._report_dmarc.example.com TXT "v=DMARC1;" If you have many parked domains, you can use a wildcard, instead of creating a record for each domain you are protecting: *._report_dmarc.example.com TXT "v=DMARC1;" However, you can then receive reports for any domains, ensure you are protected against false reporting and the potential load on your infrastructure.
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
