EDITED: Proper Way to Configure a Domain which never sends emails

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

EDITED: Proper Way to Configure a Domain which never sends emails

Ignacio García
(Sorry, there was a typo in the original message)

Hi there.

Thanks for your support. First message to the list, sorry if already
posted a similar question, but I haven't found mention anywhere.

I have to set up dns records for a domain just for a web site, for which
we will NEVER send emails (though we might receive some from old
customers), so I would like to announce somehow that emails sent from
this domain should always be disregarded. I was thinking of setting just
A and AAAA records for @ and www, NS records, MX records (for receiving)
and SPF with a record just consisting of v=spf1 -all  , not declaring an
A and MX records at all. I'm not sure at all this is a proper way of
declaring this. In fact, what I would like is to EXPLICITELY mention
somehow that we will never send emails from that domain. Could anybody
help me with this?

Thanks so much in advance.

Ignacio

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: EDITED: Proper Way to Configure a Domain which never sends emails

Matus UHLAR - fantomas
On 19.08.19 15:01, Ignacio García wrote:
>I have to set up dns records for a domain just for a web site, for
>which we will NEVER send emails (though we might receive some from old
>customers), so I would like to announce somehow that emails sent from
>this domain should always be disregarded. I was thinking of setting
>just A and AAAA records for @ and www, NS records, MX records (for
>receiving) and SPF with a record just consisting of v=spf1 -all  ,

>not declaring an A and MX records at all.

above you said you will declare A/AAAA records...

> I'm not sure at all this is a
>proper way of declaring this. In fact, what I would like is to
>EXPLICITELY mention somehow that we will never send emails from that
>domain. Could anybody help me with this?

Note that when you point A and AAAA records for the domainname, people may
try to send mail to/from the domain name (the implicit MX points to those
addresses).

To avoid this, you can point the MX for the domain to ".", some MTAs
understand this as "this domain doesn't provide mail service".

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: EDITED: Proper Way to Configure a Domain which never sends emails

Fred Morris
In reply to this post by Ignacio García
Hi,

I would think declaring SPF as you say is the right course of action.

I would consider setting up DMARC as well. Whether it's your intention or
not, if you set up DMARC (a way for people to report mail claiming to be
from you) you've essentially created a honey pot; maybe somebody will be
happy to take those DMARC-instigated reports from you.

On Mon, 19 Aug 2019, Ignacio García wrote:
> I have to set up dns records for a domain just for a web site, for which we
> will NEVER send emails (though we might receive some from old customers), so
> I would like to announce somehow that emails sent from this domain should
> always be disregarded.

Outgoing mail should be disregarded.

> I was thinking of setting just A and AAAA records for
> @ and www, NS records, MX records (for receiving)

Incoming mail should be received.

> and SPF with a record just
> consisting of v=spf1 -all

>  , not declaring an A and MX records at all.

Contradicts earlier assertions.

--

Fred Morris

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: EDITED: Proper Way to Configure a Domain which never sends emails

Dean Eckstrom

You might also want to set a DMARC Policy record with appropriate 'rua' and 'ruf' email reporting addresses.  


rua and ruf depend on remote mail centers being willing to send you this information (which is not always consistently done).  Yet the reports might provideoccasional feedback if you are actually being spoofed. It's additional information that normally you wouldn't be able to get.(https://tools.ietf.org/html/rfc7489).




_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: EDITED: Proper Way to Configure a Domain which never sends emails

Bind-Users forum mailing list
Hi,

We (Arnold Holzel and I) gave a talk about SPF (with macros), DKIM, DMARC and MTA-STS during Black Hat USA two weeks ago. The slides contains example DNS records you can use. Also a kink to a Splunk app for get insight whether Your domain are abused.
 Link: https://i.blackhat.com/USA-19/Thursday/us-19-Hoelzel-How-To-Detect-That-Your-Domains-Are-Being-Abused-For-Phishing-By-Using-DNS.pdf

Sincerely yours,
Karl 

On 19 Aug 2019, at 18:56, Dean Eckstrom <[hidden email]> wrote:



You might also want to set a DMARC Policy record with appropriate 'rua' and 'ruf' email reporting addresses.  


rua and ruf depend on remote mail centers being willing to send you this information (which is not always consistently done).  Yet the reports might provideoccasional feedback if you are actually being spoofed. It's additional information that normally you wouldn't be able to get.(https://tools.ietf.org/html/rfc7489).



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (3K) Download Attachment