On Dec 10, 2013, at 1:40 PM, Franck Martin <[email protected]> wrote:
> On Dec 10, 2013, at 11:39 AM, John Levine <[email protected]> wrote: > >>> Suggest following this thread from 2007. >>> http://mipassoc.org/pipermail/ietf-dkim/2007q2/007663.html >> >> That's the null MX proposal. I resuscitated Mark Delany's draft in >> July, and I suppose I might nudge Murray to see if appsawg would >> accept it, but it's a separate issue. >> >> For DMARC, what advice can we offer beyond publishing SPF -al and DKIM >> p=reject? (Normally I'm not a big fan of p=reject, but this is a >> place where it's clearly appropriate.) >> > > I propose to add something along these lines in the DMARC FAQ. +1 Matt > I have parked domains that do not send emails, how can I protect them? > > First create a DMARC record on your main domain (example.com) for all your > parked domains: > _dmarc.parked.example.com TXT "v=DMARC1; p=reject; rua= > mailto:[email protected];"; > > If example.net is a parked domain you can then protect it this way: > _dmarc.example.net CNAME _dmarc.parked.example.com > example.net TXT "v=spf1 -all" > *.example.net TXT "v=spf1 -all" > > The CNAME allows you to control in one place all your parked domains. If you > want, for instance, to start receiving failure reports for all your parked > domains, you just need to update one DNS record. In the example above the > record becomes: > _dmarc.parked.example.com TXT "v=DMARC1; p=reject; > rua=mailto:[email protected]; ruf=mailto:[email protected];"; > > This will update all the domains using this CNAME. > > The wildcard on the TXT record for SPF will protect any subdomain or host > under this domain. > > To be able to receive reports for example.net at the mailboxes at > example.com you must create a report record: > example.net._report_dmarc.example.com TXT "v=DMARC1;" > > If you have many parked domains, you can use a wildcard, instead of creating > a record for each domain you are protecting: > *._report_dmarc.example.com TXT "v=DMARC1;" > > However, you can then receive reports for any domains, ensure you are > protected against false reporting and the potential load on your > infrastructure. > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
