Do not forget SPF and DMARC policies on parked domains
I’ve previously written on DMARC policies to prevent email spoofing.
Besides your primary domain, it is also crucial to properly configure any parked domains you might have. Companies will most often register similar domains across multiple TLDs to ensure that malicious actors cannot set up misleading websites or mess with their online presence.
However, simply owning the domain is not good enough!
If you do not set up proper SPF and DMARC records at the DNS level, anyone can easily send spoof emails from your parked domain: domain registrars may not preemptively set such records for you. Alas, spoofed emails could look very convincing, especially if the parked domain resembles your primary domain or brand.
The good news is that you just need two TXT records on each domain:
- One
TXT
record with the value"v=spf1 -all"
(mind the double quotes). - One
TXT
record with the valuev=DMARC1; p=reject; rua=YOUR_REPORTING_URL; pct=100;
.
In my case, I manage all my DNS zones with Cloudflare, so I wrote the following bash script, which uses flarectl
(which assumes there are no existing TXT records):
export CF_API_TOKEN=YOUR_API_KEY
for zone in parked-domain1.com parked-domain2.com parked-domain3.com; do
flarectl dns create --zone="$zone" --name="$zone" --type="TXT" --content="\"v=spf1 -all\""
flarectl dns create --zone="$zone" --name="_dmarc.$zone" --type="TXT" --content="v=DMARC1; p=reject; rua=YOUR_REPORTING_URL; pct=100;"
done
If you are not collecting DMARC reports, you can safely remove the rua
directive.