Implementing DMARC on parked domains is important to ensure that these domains do not become a vulnerability for your email security. While parked domains may not be actively used for sending emails or hosting websites, they can still be a target for phishing attacks or other malicious activity. By setting up DNS records for parked domains, you can indicate to ISPs that these domains are inactive and should be treated as such. This can help prevent any potential abuse of your parked domains and maintain the security of your email ecosystem.
Indicate that the domain does not send any mail by setting up an empty SPF record with a hard fail policy:
parkeddomainexample.com TXT "v=spf1 -all"
A DKIM record is published on a subdomain by combining a ‘selector’ with the domain. The official policy to revoke previously active selectors is to publish that selector with an empty ‘p’ value. This same setup can be published on a ‘wildcard’ domain to indicate any selector is invalid (*):
*._domainkey.parkeddomainexample.com TXT "v=DKIM1; p="
If the domain is inactive you’d still want to receive any potential activity on that domain. Therefore we recommend publishing a DMARC policy on that domain. If an organization has a lot of parked domains we advise publishing a general ‘parked domain’ DMARC policy on a single domain and to refer to that policy by using a CNAME setup. In this situation, you can easily adjust the policy for all your parked domains by adjusting a single DNS. In this situation, it is required to correctly set up external domain verification on your DMARC report receiving domain as described in the External Domain Verification article.
The following DNS record should be added to all your parked domains:
_dmarc.parkeddomainexample.com CNAME _dmarc.parked.example.net.
The records below should be added to a single domain which is referred to in the parked domain CNAME record as seen above (example.net). These records point to two dedicated mailboxes on your local domain. You can either configure these mailboxes to automatically forward the reports to DMARC Analyzer, or you can add your custom DMARC Analyzer RUA and RUF address in the record below. In this situation, the second record is not needed as we have covered this.
_dmarc.parked.example.net TXT "v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com"
*._report._dmarc.example.net TXT "v=DMARC1"
When a report generator has an aggregate report to send to example.com, it will consult example.com‘s DMARC record and extract the address above. Since the domain in that address is not example.com or its organizational domain, it would have to make an authorization check first. It would take that domain the report is for (example.com), and the domain that the rua field references (otherdomain.com), and construct a new name like this: parkeddomainexample.com._report._dmarc.otherdomain.com
Some mail receivers verify that a mail can be answered when they receive a mail. If a domain does not receive mail it is recommended to publish a ‘NULL’ MX record (*). However, this approach is only recommended if a domain does publish an A or AAAA record, but is not set up to receive mail.
parkeddomainexample.com MX 0 .
In summary, setting up DNS records for parked domains is an important aspect of a comprehensive DMARC implementation project. By indicating to ISPs that these domains are inactive and should be treated as such, organizations can avoid vulnerabilities on their parked domains even if they have protected their main domain with a 100% p=reject policy. The recommended DNS records for parked domains include an empty SPF record with a hard fail policy, a DKIM record with an empty 'p' value on a wildcard subdomain, a DMARC policy on the parked domain or a single domain for all parked domains, and a NULL MX record if the domain does not receive mail. These records help to protect the domain and ensure that any potential activity on parked domains is still received by the organization.