Proper Way to Configure a Domain which never sends emails

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Proper Way to Configure a Domain which never sends emails

Ignacio García
Hi there.

Thanks for your support. First message to the list, sorry if already
posted a similar question, but I haven't found mention anywhere.

I have to set up dns records for a domain just for a web site, for which
we will NEVER send emails (though we might receive some from old
customers), so I would like to announce somehow that emails sent from
this domain should always be disregarded. I was thinking of setting just
A and AAAA records for @ and www, NS records, MA records (for receiving)
and SPF with a record just consisting of v=spf1 -all  , not declaring an
A and MX records at all. I'm not sure at all this is a proper way of
declaring this. In fact, what I would like is to EXPLICITELY mention
somehow that we will never send emails from that domain. Could anybody
help me with this?

Thanks so much in advance.

Ignacio
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Proper Way to Configure a Domain which never sends emails

Barry Margolin
In article <[hidden email]>,
 Ignacio García <[hidden email]> wrote:

> Hi there.
>
> Thanks for your support. First message to the list, sorry if already
> posted a similar question, but I haven't found mention anywhere.
>
> I have to set up dns records for a domain just for a web site, for which
> we will NEVER send emails (though we might receive some from old
> customers), so I would like to announce somehow that emails sent from
> this domain should always be disregarded. I was thinking of setting just
> A and AAAA records for @ and www, NS records, MA records (for receiving)
> and SPF with a record just consisting of v=spf1 -all  , not declaring an
> A and MX records at all. I'm not sure at all this is a proper way of
> declaring this. In fact, what I would like is to EXPLICITELY mention
> somehow that we will never send emails from that domain. Could anybody
> help me with this?
A common practice is to point the MX record to ".".

--
Barry Margolin
Arlington, MA

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Proper Way to Configure a Domain which never sends emails

Kevin Darcy
[ Classification Level: PUBLIC ]

MXes are for *receiving* mail of course. The request is about *sending* mail.

Setting the SPF record to "-all" is probably about the best you can do, since AFAIK there is no universally-recognized way to signal "domain X never sends mail".

Ironically, in order to prevent anyone from accepting mail purportedly from your domain, you might want to make yourself look as much as possible like SPAM or malware.

Perhaps you could volunteer your domain to be added to one or more of the public SMTP blacklists? :-)

                                                                                                                         - Kevin

On Mon, Aug 19, 2019 at 10:34 AM Barry Margolin <[hidden email]> wrote:
In article <[hidden email]>,
 Ignacio García <[hidden email]> wrote:

> Hi there.
>
> Thanks for your support. First message to the list, sorry if already
> posted a similar question, but I haven't found mention anywhere.
>
> I have to set up dns records for a domain just for a web site, for which
> we will NEVER send emails (though we might receive some from old
> customers), so I would like to announce somehow that emails sent from
> this domain should always be disregarded. I was thinking of setting just
> A and AAAA records for @ and www, NS records, MA records (for receiving)
> and SPF with a record just consisting of v=spf1 -all  , not declaring an
> A and MX records at all. I'm not sure at all this is a proper way of
> declaring this. In fact, what I would like is to EXPLICITELY mention
> somehow that we will never send emails from that domain. Could anybody
> help me with this?

A common practice is to point the MX record to ".".

--
Barry Margolin
Arlington, MA
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Proper Way to Configure a Domain which never sends emails

Kevin Darcy
[ Classification Level: PUBLIC ]

DNSBL is by IP, true, but there are other forms of "SMTP blacklist" that are by domain. Getting one's domain on one or more of those lists would help avoid the impact of someone trying to use the domain to spoof malicious email. Sure, you could wait until *after* the damage is done, and then the domain might end up on one or more blacklists, but I was just musing, half humorously, on whether one could be proactive, by volunteering to be on the list(s).

The OP specifically said he wanted to *receive* mail, so I don't understand why people keep recommending a null MX.

I've concurred that a "-all" SPF will help.

                                                                                       - Kevin

On Mon, Aug 19, 2019 at 8:07 PM Reindl Harald <[hidden email]> wrote:


Am 19.08.19 um 23:31 schrieb Kevin Darcy:
> [ Classification Level: PUBLIC ]
>
> MXes are for *receiving* mail of course. The request is about *sending*
> mail.
>
> Setting the SPF record to "-all" is probably about the best you can do,
> since AFAIK there is no universally-recognized way to signal "domain X
> never sends mail".
>
> Ironically, in order to prevent anyone from accepting mail purportedly
> from your domain, you might want to make yourself look as much as
> possible like SPAM or malware.
>
> Perhaps you could volunteer your domain to be added to one or more of
> the public SMTP blacklists? :-)

DNSBL lists IP's not domains and so only you blacklist machones - that's
the worst idea whan can have when nomailspf and null-mx are the way to go

@  IN TXT  "v=spf1 -all"
@  IN MX0  .

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Proper Way to Configure a Domain which never sends emails

Ignacio García
El 20/08/2019 a las 2:20, Kevin Darcy escribió:
> DNSBL is by IP, true, but there are other forms of "SMTP blacklist"
> that are by domain. Getting one's domain on one or more of those lists
> would help avoid the impact of someone trying to use the domain to
> spoof malicious email. Sure, you could wait until *after* the damage
> is done, and then the domain might end up on one or more blacklists,
> but I was just musing, half humorously, on whether one could be
> proactive, by volunteering to be on the list(s).

Yes, that would be an original way to solve it :)

> The OP specifically said he wanted to *receive* mail, so I don't
> understand why people keep recommending a null MX.

Yes. Null MX wouldn't help for this specific case.

> I've concurred that a "-all" SPF will help.

Well, thank you all so much for your kind support.

Ignacio
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Proper Way to Configure a Domain which never sends emails

Bind-Users forum mailing list
In reply to this post by Kevin Darcy
A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be useful.

--
Marco

On 19/08/2019 23:31, Kevin Darcy wrote:

> [ Classification Level: PUBLIC ]
>
> MXes are for *receiving* mail of course. The request is about *sending*
> mail.
>
> Setting the SPF record to "-all" is probably about the best you can do,
> since AFAIK there is no universally-recognized way to signal "domain X
> never sends mail".
>
> Ironically, in order to prevent anyone from accepting mail purportedly
> from your domain, you might want to make yourself look as much as
> possible like SPAM or malware.
>
> Perhaps you could volunteer your domain to be added to one or more of
> the public SMTP blacklists? :-)
>
>                                                                        
>                                                  - Kevin
>
> On Mon, Aug 19, 2019 at 10:34 AM Barry Margolin <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     In article <[hidden email]
>     <mailto:[hidden email]>>,
>      Ignacio García <[hidden email] <mailto:[hidden email]>> wrote:
>
>     > Hi there.
>     >
>     > Thanks for your support. First message to the list, sorry if already
>     > posted a similar question, but I haven't found mention anywhere.
>     >
>     > I have to set up dns records for a domain just for a web site, for
>     which
>     > we will NEVER send emails (though we might receive some from old
>     > customers), so I would like to announce somehow that emails sent from
>     > this domain should always be disregarded. I was thinking of
>     setting just
>     > A and AAAA records for @ and www, NS records, MA records (for
>     receiving)
>     > and SPF with a record just consisting of v=spf1 -all  , not
>     declaring an
>     > A and MX records at all. I'm not sure at all this is a proper way of
>     > declaring this. In fact, what I would like is to EXPLICITELY mention
>     > somehow that we will never send emails from that domain. Could
>     anybody
>     > help me with this?
>
>     A common practice is to point the MX record to ".".
>
>     --
>     Barry Margolin
>     Arlington, MA

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Proper Way to Configure a Domain which never sends emails

Ignacio García
El 20/08/2019 a las 9:28, Marco Davids via bind-users escribió:
> A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be useful.
>
> --
> Marco
>

Wouldn't that imply having DKIM set up for the domain?

--

Ignacio
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Proper Way to Configure a Domain which never sends emails

Scott Morizot
On Tue, Aug 20, 2019 at 5:46 AM Ignacio García <[hidden email]> wrote:
El 20/08/2019 a las 9:28, Marco Davids via bind-users escribió:
> A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be useful.
>

Wouldn't that imply having DKIM set up for the domain?



Short answer is no since nothing in DMARC requires DKIM. It requires that an email has passed *either* an SPF or a DKIM check and if a DKIM signature is present that it correctly validates. If the SPF policy is set to reject all and the DMARC policy is set to reject if the checks fail, that's a pretty good way to explicitly state this domain does no email whatsoever for anyone who cares. (Speaking as someone who manages the DNS and DKIM signing at work for a domain that malicious actors do love so much that I've even seen it used as an example in some of the DMARC docs. /g ) 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Proper Way to Configure a Domain which never sends emails

Barry Margolin
In reply to this post by Kevin Darcy
In article <[hidden email]>,
 Kevin Darcy <[hidden email]> wrote:

> [ Classification Level: PUBLIC ]

Huh? Why does something sent to a public mailing list need an explicit
"classification level"?

>
> MXes are for *receiving* mail of course. The request is about *sending*
> mail.

True, but there's a common assumption that mail is sent from a domain
that can receive mail. Even email that says "Don't reply to this"
usually comes from an account at a domain that can receive mail; they
just ignore that mailbox.

> >
> > A common practice is to point the MX record to ".".
> >
> > --
> > Barry Margolin
> > Arlington, MA

--
Barry Margolin
Arlington, MA
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Proper Way to Configure a Domain which never sends emails

John Levine
In reply to this post by Ignacio García
In article <[hidden email]> you write:
>El 20/08/2019 a las 9:28, Marco Davids via bind-users escribió:
>> A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be useful.

>Wouldn't that imply having DKIM set up for the domain?

No, of course not.

It says that if mail isn't authenticated, reject it.  An excellent way
to be sure you never get DKIM authentication is not to set up DKIM in
the first place.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Proper Way to Configure a Domain which never sends emails

Bind-Users forum mailing list
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The reject will only work when DKIM AND SPF are failing.
So you have to setup SPF too. -all does the magic.

cheers,
Karl


On 20/08/2019 20:12, John Levine wrote:

> In article <[hidden email]>
> you write:
>> El 20/08/2019 a las 9:28, Marco Davids via bind-users escribió:
>>> A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be
>>> useful.
>
>> Wouldn't that imply having DKIM set up for the domain?
>
> No, of course not.
>
> It says that if mail isn't authenticated, reject it.  An excellent
> way to be sure you never get DKIM authentication is not to set up
> DKIM in the first place.
>
> _______________________________________________ Please visit
> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEdAEe0RRL+gREs9oxGJor1wjGePMFAl1cOzMACgkQGJor1wjG
ePP0iwf/WgLuA+W+9mJfy4Z89cG10lfS7ZnNIZlUfjMmQI1jBMFqKhOnLFG08rzX
fpZ8vx8J52ipvprdvTclaNcv3qha0EGfW+FJwO3bQYv2UC1ufkYHY8AGNNkCUU7o
d42iMmwe9K0faZlJFp6uX0zd0jetafbK6CGkc21fcEMdpi4dRjKVq+pummkuJONl
vQaaxuJ7UYSL9IwdALOUifSxc4zjKHQaIeUTXy9j5cW6gJiYcvP9RVVZkv8/2pIZ
mc2acf4F4tc98idkuPr72sH8e/WEaO8EXbxwgpVjYZfYNT/aiPJakLusXlvuvkqz
EmgCfa/F0xvC1fxJeGHIdx8ysMettw==
=I0/a
-----END PGP SIGNATURE-----
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Proper Way to Configure a Domain which never sends emails

John Levine
> The reject will only work when DKIM AND SPF are failing.
> So you have to setup SPF too. -all does the magic.

Actually, no.  DMARC only passes when DKIM or SPF passes.  In the absence
of any SPF, that's not a pass so DMARC will fail.

It's a good idea to publish the SPF -all but in this case DMARC doesn't
depend on it.

> On 20/08/2019 20:12, John Levine wrote:
>> In article <[hidden email]>
>> you write:
>>> El 20/08/2019 a las 9:28, Marco Davids via bind-users escribió:
>>>> A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be
>>>> useful.
>>
>>> Wouldn't that imply having DKIM set up for the domain?
>>
>> No, of course not.
>>
>> It says that if mail isn't authenticated, reject it.  An excellent
>> way to be sure you never get DKIM authentication is not to set up
>> DKIM in the first place.
>>
>> _______________________________________________ Please visit
>> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> bind-users mailing list [hidden email]
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> -----BEGIN PGP SIGNATURE-----
>
> iQEzBAEBCAAdFiEEdAEe0RRL+gREs9oxGJor1wjGePMFAl1cOzMACgkQGJor1wjG
> ePP0iwf/WgLuA+W+9mJfy4Z89cG10lfS7ZnNIZlUfjMmQI1jBMFqKhOnLFG08rzX
> fpZ8vx8J52ipvprdvTclaNcv3qha0EGfW+FJwO3bQYv2UC1ufkYHY8AGNNkCUU7o
> d42iMmwe9K0faZlJFp6uX0zd0jetafbK6CGkc21fcEMdpi4dRjKVq+pummkuJONl
> vQaaxuJ7UYSL9IwdALOUifSxc4zjKHQaIeUTXy9j5cW6gJiYcvP9RVVZkv8/2pIZ
> mc2acf4F4tc98idkuPr72sH8e/WEaO8EXbxwgpVjYZfYNT/aiPJakLusXlvuvkqz
> EmgCfa/F0xvC1fxJeGHIdx8ysMettw==
> =I0/a
> -----END PGP SIGNATURE-----
>
>
Regards,
John Levine, [hidden email], Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Proper Way to Configure a Domain which never sends emails

Ignacio García
In reply to this post by Scott Morizot
Thank you all for your help. I've set it up as you all suggested (spf and dmarc entries in dns). This weekend I'm going to do some tests. Again, thanks!!!!

El 20/08/2019 a las 15:42, Scott Morizot escribió:
On Tue, Aug 20, 2019 at 5:46 AM Ignacio García <[hidden email]> wrote:
El 20/08/2019 a las 9:28, Marco Davids via bind-users escribió:
> A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be useful.
>

Wouldn't that imply having DKIM set up for the domain?



Short answer is no since nothing in DMARC requires DKIM. It requires that an email has passed *either* an SPF or a DKIM check and if a DKIM signature is present that it correctly validates. If the SPF policy is set to reject all and the DMARC policy is set to reject if the checks fail, that's a pretty good way to explicitly state this domain does no email whatsoever for anyone who cares. (Speaking as someone who manages the DNS and DKIM signing at work for a domain that malicious actors do love so much that I've even seen it used as an example in some of the DMARC docs. /g ) 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users