How to stop email spoofing of parked domains

Publishing a DMARC record for unused domains is a good idea. Here's how.

incoming emails / DNS security / locked server / parked domain
Thinkstock / Imaginima / Getty Images

Deploying DMARC to prevent email spoofing is a no-brainer. No one wants spoofed email from that could easily lead to a successful phishing attack or business email compromise (BEC). But have you deployed DMARC (Domain-based Message Authentication, Reporting and Conformance) for domains you own that do not send or receive email?

Consider this: If you run, maybe you also own Not saying your complexion is poor, but it's a good typosquatting purchase, and a cheap insurance policy against phishing or impersonation. With DMARC deployed for, spoofed emails like are toast. What about a spoofed email from You see the problem.

Publishing a DMARC record that says, "Yo, world! This domain is never, ever used for email, and if you ever get email from this domain, it is by definition not genuine" is the best way to prevent this kind of attack.

How to turn off email for parked domains

It might seem counterintuitive: Why publish a DomainKeys Identified Mail (DKIM) record in your DNS if you're never going to cryptographically sign outgoing email? Why publish a Sender Policy Framework (SPF) record if there will never be genuine email coming from your domain? It's a hack, that's why. We've been trying to back-port security onto email for 40 years and still can't get it quite right.

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.