Proper Way to Configure a Domain which never sends emails

[Kevin Darcy]

[ Classification Level: PUBLIC ]

DNSBL is by IP, true, but there are other forms of "SMTP blacklist" that
are by domain. Getting one's domain on one or more of those lists would
help avoid the impact of someone trying to use the domain to spoof
malicious email. Sure, you could wait until *after* the damage is done, and
then the domain might end up on one or more blacklists, but I was just
musing, half humorously, on whether one could be proactive, by volunteering
to be on the list(s).

The OP specifically said he wanted to *receive* mail, so I don't understand
why people keep recommending a null MX.

I've concurred that a "-all" SPF will help.


           - Kevin

On Mon, Aug 19, 2019 at 8:07 PM Reindl Harald <h.reindl at thelounge.net>
wrote:

>
>
> Am 19.08.19 um 23:31 schrieb Kevin Darcy:
> > [ Classification Level: PUBLIC ]
> >
> > MXes are for *receiving* mail of course. The request is about *sending*
> > mail.
> >
> > Setting the SPF record to "-all" is probably about the best you can do,
> > since AFAIK there is no universally-recognized way to signal "domain X
> > never sends mail".
> >
> > Ironically, in order to prevent anyone from accepting mail purportedly
> > from your domain, you might want to make yourself look as much as
> > possible like SPAM or malware.
> >
> > Perhaps you could volunteer your domain to be added to one or more of
> > the public SMTP blacklists? :-)
>
> DNSBL lists IP's not domains and so only you blacklist machones - that's
> the worst idea whan can have when nomailspf and null-mx are the way to go
>
> @  IN TXT  "v=spf1 -all"
> @  IN MX0  .
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190819/51fb0325/attachment.html>