Important reminder, if you own a domain name and don't use it for sending email.
-
@Jerry A null MX is also a good idea for any domain name which is not used for email, though you (obviously) can't set a null MX on a domain used to receive email.
-
@Jerry Great post, as a reminder! I work on this at work, but haven't paid the same attention to my own personal domains.
And just a slight FYI, the SPF TXT record does indeed need to be on the apex/root domain, which, yes, some DNS providers use “@“ as a placeholder for, but that's not what “it is called”. Others, like AWS Route53, don't use that nomenclature. R53 writes out the apex/base domain, e.g. “example.com”, to indicate the apex/root domain.
-
Sharon of the Strange Timesreplied to Jerry Lerman last edited by
@Jerry I have this problem! But I also use my domain for sending post notifications via MailPoet. What are my options?
-
DJM (freelance for hire)replied to Jerry Lerman last edited by
@Jerry If needed, here's a DMARC domain checker https://dmarcian.com/domain-checker/
-
@Jerry great advice. One question: does this config protect also subdomains?
-
@[email protected] There’s also a null MX record for the sake of completeness https://serverfault.com/questions/714052/why-is-rfc-7505-null-mx-necessary
-
@Jerry would adding those txt records cause any issue to a wildcard redirect I use for myself?
I have xxxxx.com and an auto redirect by my dns provider so that anything sent to [email protected] is forwarded to [email protected] so when I give out the address I can see if it's been shared.
I like the idea of protecting against unauthorized use but wouldn't want to lose my throwaway capability.
I find email servers to be akin to dark arts so am at a loss here tbh.
-
Amy (she/her/hers)replied to Jernej Simončič � last edited by
@[email protected] @[email protected] hmm, might have to try that out - planning on restructuring my homelab soon so that could be a good opportunity
atm my main problem is that my homelab, being on residential internet, is on SBL because of my ISP (screw you charter!!) and I've yet to find a reasonable SMTP relay. should I ever find a relay, I'd need to re-set-up DMARC around that -
@Jerry is
@
even legal in DNS? (It is not in hostnames, but so is_
, so…) -
-
@tychotithonus @Jerry
It will probably work OK with 10 - that's supposed to be a relative number, for when there's more than one MX record and a "main MX / backup MX" disposition is desired.As with line numbers in BASIC, the default is 10 to allow for numbers to be added above and below.
The important part is the null host (single dot).
But I wouldn't want to rely on every other mail server interpreting that correctly. -
@Jerry How in practice can I do this for my site if dynu.com does the dns, and not a dns server I control?
-
Trinity Blair 🥀🔞+ (age in bio or blocked)replied to Jerry Lerman last edited by
@Jerry if you do use your domain for email, is adding these still helpful or unnecessary?
-
Jerry Lermanreplied to Mx Amber Alex (she/it) last edited by
-
Jerry Lermanreplied to Trinity Blair 🥀🔞+ (age in bio or blocked) last edited by
@trinityblair
If you don't have the 3 records, much of your email that you send will go into spam folders because email clients will have reason to be suspicious of your emails since there's no protection, and eventually, you may see people spoofing your domain, if they aren't trying already.I have a few domains and I see attempts weekly to spoof my domains, both with domains I don't use for email, and those that I do. Fortunately, the spoofs fail.
My friend had a spoof attempt on his domain 4 weeks ago.
So, yep. You should have an SPF, DKIM and a DMARC record.
-
@adingbatponder
Can you open a support ticket for help? Or, maybe, they've already done it for you. You can check at https://www.dnsdomainlookup.com/ and pick dns summary from the dropdown.If you see the spf, dkim, and dmarc records, then you're all set.
-
@dec23k @tychotithonus
My DNS provider doesn't allow just a dot. Many don't. But saying nobody is allowed to send emails for me (SPF record) should cover it. -
-
@mirabilos In some records it is, and even required. It means the "root" or no sub domain name.