We have a couple domains that are not used much. One is simply parked, the other receives email but never sends any.
For the parked, unused domain I have configured DKIM and am using an SPF of “v=spf1 -all”
For the domain that only receives email I have also configured DKIM and am using an SPF of “v=spf1 a include:_spf.google.com ~all” Can I safely set for it a DMARC policy of Reject 100%?
Why aren’t you using the same Sends No Email SPF on your receive-only domain?
Why publish DKIM for a domain that send no mail? You can publish a better DKIM policy record that indicates no valid DKIM.
If you send no email using that domain, why wouldn’t you? The answer is still yes, even when you send email, you just have to be more certain that you are authenticating all of your outbound email.
Email the non-sending domain receives gets forwarded (within the Google Workspace) to our active domain (it’s actually just one user). Still fine to use the “Sends No Email SPF”?
That include mechanism cannot produce the aligned SPF required for DMARC, so in the context of a DMARC policy it is completely useless.
Hey LinkP! Thanks so much for responding! I really appreciate you taking the time to try and help me.
So, umm… what were you trying to tell me here? I’m genuinely ignorant of how to do this right, so if you could spell it out like I’m an idiot that would be terrific.
I use the settings in the Gov UK guide that I shared for all domains that do not send email. For domains that also don’t receive email I also add a null MX, which is covered in that guide.
Unless it affects delivery to your server, I wouldn’t bother with the Google include.
