How should I setup parked/inactive domains?

Most companies have a set of active domains which they use to send mail from. However most of the time there are also parked (or inactive) domains. These are domains which have been registered by a customer, but which are not used to send email or host a website. This can be ‘typo domains’ or domains which have been registered for future use.

As these domains are not active it is easy to protect these domains. However it is important to do so and not skip these domains in your DMARC implementation project.

This could otherwise lead to the situation where you’ve protected your main domain with a 100% p=reject policy and you may still be vulnerable on your parked domains.

We advise to setup a set of DNS records for these parked domains to indicate to ISPs that the domain is in fact inactive and should be treated this way by the ISPs.

Indicate that the domain does not send any mail by setting up an empty SPF record with a hard fail policy: TXT "v=spf1 -all"

A DKIM record is published on a subdomain by combining a ‘selector’ with the domain. The official policy to revoke previously active selectors is to publish that selector with an empty ‘p’ value. This same setup can be published on a ‘wildcard’ domain to indicate any selector is invalid (*):

* TXT "v=DKIM1; p="

If the domain is inactive you’d still want to receive any potential activity on that domain. Therefor we recommend to publish a DMARC policy on that domain. If an organization has a lot of parked domains we advise to publish a general ‘parked domain’ DMARC policy on a single domain and to refer to that policy by using a CNAME setup. In this situation you can easily adjust the policy for all your parked domains by adjusting a single DNS. In this situation it is required to correctly setup external domain verification on your DMARC report receiving domain as described in our knowledgebase.

The following DNS record should be added on all your parked domains: CNAME

The records below should be added on a single domain which is refered to in the parked domain CNAME record as seen above ( These records point to two dedicated mailboxes on your local domain. You can either configure these mailboxes to automatically forward the reports to DMARC Analyzer, or you can add you custom DMARC Analyzer ‘rua’ and ‘ruf’ address in the record below. In this situation the second record is not needed as we have covered this. TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]"
* TXT "v=DMARC1"

Some mail receivers verify that a mail can be answered to when they receive a mail. If a domain does not receive mail it is recommended to publish a ‘NULL’ MX record (*). However this approach is only recommended if a domain *does* publish an A or AAAA record, but is not setup to receive mail. MX 0.

(*) If you use subdomains there are some exceptions. We refer to the Best Common Practices document as published by the M3AAWG on this URL.