Email: How to secure a Domain that doesn't send email

Here is a guide on how to add an SPF record that will help prevent a domain being spoofed by hard failing all emails sent from a domain

If you are running a website and don't send emails from the domain it is advisable to lock this down. This is done through add or editing DNS records.

Warning: This will prevent emails landing in peoples inboxes and increase the likelihood of emails being completely rejected or spammed. Do not follow this guide if you plan to use a domain for email. You can revert these changes at a later date and use the domain for email if required by removing or updating these records

There are two TXT records that should exist to tell email providers that a domain is not being used for sending email, these two records are: SPF and DMARC.

To keep this simple here are the records to add if the domain will never be sending emails, these steps will signal to email providers that this domains' emails should either be blocked or at least put into spam. Emails are easily forged so this can help protect a domains email reputation should you want to use it for emails at a later date.

The first record is called an SPF record. Just to confuse things in DNS there is specifically an SPF record type, this should be ignored the record type is a TXT record. Also, there should only be one SPF record, so if one already exists then edit it to be the following (or create it if it doesn't exist). Here is the record:

v=spf1 -all

The hostname section in DNS should be the primary domain being protected (some DNS editors use the '@' symbol to denote the primary domain).

To explain what this is doing, the 'v=spf1' part is the version of SPF to be used and the '-all' is saying hard fail all emails that don't pass SPF as nothing is included in the SPF all emails will hard fail. In Cloudflare it would look like this:

Here is a guide on how to add a hard fail SPF record into DNS when using cPanel's Zone Editor:

This SPF by itself will tell email providers not to accept any emails from this domain. To fully lock down the emails it is advisable to add a DMARC record.

DMARC is a set of policies for what to do if it detects anomalies in emails, it can be used to send email reports of spoofed emails to a specific address. Apologies for the all caps:


In this example you add the exact record below this won't send any reports, but does tell email providers to check the SPF and if it fails to block any emails sent from a domain. Here is the DMARC record to add as a TXT record:

Here is the record part:


The record Name / Host should be the domain with '_dmarc.' on the start, in the example below you would replace with your own domain:

Here is what it would look like on Cloudflare:

Here is a guide on how to add DMARC with a reject policy into DNS when using cPanel:

Add a DMARC Record with Policy set to Reject into DNS - Blogging Help
This guide shows how to add a default DMARC record into DNS with the policy set to Reject using cPanel’s Zone Editor

This works because the SPF is set to hard fail and the DMARC record then advises to reject any emails that fails SPF. This will also protect any attempts to use subdomains belongs to a domain.

Now these records have been added it will help secure a domain from having its emails spoofed. If you found this content useful please subscribe for more tip and tricks by Blog magician.

Subscribe to Blog Magician

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]