Marc, Strictly speaking, you don't need the SPF record; however, I strongly recommend you publish a "permit none" SPF record as many corporate gateways that don't support DMARC (or don't have validation enabled) will still block fraudulent messages based on an SPF record.
v=spf1 -all Best Regards, John On Fri, Aug 25, 2017 at 12:20 PM, Marko Nix via dmarc-discuss < [email protected]> wrote: > Hi Marc, > > your idea is right in my opinion. > > You do need a valid SPF (but may be a „-all“ thats your choice, because > you don’t send for that domain mails) record. But no DKIM, because you > don’t send emails. > > But enough of talking, i think an example helps more: > > Domain 1 (master) > _dmarc IN TXT ("v=DMARC1; p=quarantine; > sp=reject; fo=1; aspf=r; adkim=s;" > "rua=mailto:dmarc@tech-nicks. > de <[email protected]>; ruf=mailto:[email protected] > <[email protected]>;") > > Domain 2 (no real use) > @ IN TXT "v=spf1 -all" > _dmarc IN TXT ("v=DMARC1; p=reject; > sp=reject; fo=1; aspf=s; adkim=s;" > "rua= > mailto:[email protected] <[email protected]>; ruf= > mailto:[email protected] <[email protected]>;“) > > But you have to allow other domains receiving reports. For me it is an > other domain i own. > > Domain 3 (where the reports go) > (its own dmarc record - left out because does not matter here) > tierheilpraxis-nix.de._report._dmarc IN TXT "v=DMARC1" > thp-nix.de._report._dmarc IN TXT "v=DMARC1“ > > So its that what you have written I think. Do not waste time on DKIM - you > don’t send, you don’t need it. > > Hope it helps. > > Kind regards, > Marko > > Am 25.08.2017 um 19:22 schrieb Marc Luescher via dmarc-discuss < > [email protected]>: > > Hi there, > > we are setting up a lot of vanity domains to make sure they can not be > used for abuse. > > main domain fresenius.com > vanity 1 fressenius.com etc > > My idea was to just to create a DMARC record like : > > v=DMARC1; p=reject; rua=mailto:[email protected] > <[email protected]>,mailto:92ef88808ad6806@rep. > dmarcanalyzer.com,mailto:[email protected];ruf= > mailto:[email protected],mailto: > [email protected] > <[email protected],mailto:[email protected];ruf=mailto:[email protected],mailto:[email protected]>; > sp=reject; fo=1; > > for all newly registered vanity domians and to authorize it in the master > domain. Would this be best practice or do we need for every vanity domain > also a valid SPF and/or DKIM record to be fully compliant. I did not find > any guideline how to do this. > > Thank you > > Marc > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > > > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) >
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
