A way for DNS record to say "this domain has no mail server"?
Solution 1
Due to the fallback of directly contacting a host via its address records, a single "null MX" record of "MX 0 ." is the apparent preferred way to indicate that the host does not accept e-mail. This is similar to a "null SRV" record ("SRV 0 0 0 .") which specifically marks a service as not available (per the SRV-RR RFC 2782).
This has been standardized by RFC 7505 (as of December 2017 it is a proposed standard).
"MX 0 localhost." (or equivalent label pointing at ::1 and 127.0.0.1) is also acceptable but more appropriate for a host that must send mail to itself (e.g. cron job output) which does not accept external mail. Such hosts may have an operational mail server which is firewalled off from the Internet but other services are accessible.
Having no MX record and blocking the SMTP port does not stop people from wasting one's incoming bandwidth trying to contact a non-existent server. The single MX record methods above do prevent such traffic because address-type records are never tried when at least one MX record is present. This will probably not stop some spammers from trying to contact a host directly via its address records. However, as it does stop legitimate traffic from trying, you'll be able to identify spam sources with 100% certainty.
Using private addresses should not be used because one cannot tell where they'll end up. Using other reserved addresses (e.g. documentation address of 192.0.2.0/24) is also inappropriate except where trying to identify and trap spammers within one's own network when they try to connect.
Solution 2
I don't know what the "standard" way is, but here's one I've run across: set an MX record to a loopback address.
I suppose any private IP address (or otherwise "invalid" IP - 0.0.0.0) would do the trick. I personally think it's kind of a lousy thing to do, but it would do what you want. You could couple it with a hostname like thisdomaindoesntacceptemail.sostopsendingit as a service to the mail admin who'll end up with the ticket for "email being down" because your domain won't accept email. :)
However, why not just remove the MX record, and set your firewall rules on the A record to block SMTP and TLS (and any other mail ports)?
That would get the point across, and any admin who does a lookup will see no MX record, and refused connections on the fallback A record will remove any doubt about the intent of your configuration, should anyone even look more closely after seeing no MX record.
Solution 3
A simple TXT record will do this for you, set the SPF records to have a null value with a hard fail:
@ IN TXT "v=spf1 -all"
* IN TXT "v=spf1 -all"
That's how I ensure a domain can't be phished that I use to internal or non-mail services.
Solution 4
I think specifying non-existent DNS name as domain mail hub (MX) would suffice.
UPD.: And finally there is https://datatracker.ietf.org/doc/html/draft-delany-nullmx-00
UPD. 2: This eventually evolved to a IETF proposed standard now: RFC 7505: A "Null MX" No Service Resource Record for Domains That Accept No Mail
Related videos on Youtube
05 : 16
03 : 06
30 : 31
11 : 53
06 : 11
700 Software
Updated on September 18, 2022Comments
-
700 Software over 1 year
What is the appropriate way to set up a DNS record that says "this domain has no mail server"?
I assume I need a special MX record to do this, otherwise it will be assumed that the A record is the answer.
I ask this question because it seems like it would be better to stop the mail at the front line, so it does not become the responsibility of the webserver to reject mail for the domain in question.
-
Zoredache over 11 yearsI am tempted to say set something like
MX 0 localhost.That would bounce it back to the sender. -
Michael Hampton over 11 yearsDon't run a mail server. -
HopelessN00b over 11 years@Zoredache Bad mail admin! RFC violation.
-
Hennes over 11 yearsHow do you solve the mail for abuse@ ? Someone should read that mail. For every other mail address which is not given out (e.g. because it does not exist): tarpit with extreme prejudice. -
John Gardeniers over 11 yearsThe abuse@ address is optional. Only an administrative email address is required and that doesn't have to be on the same domain.
-
John Gardeniers over 11 yearsThe web server is never responsible for processing email. A web server would in fact only receive SMTP connection attempts if it was on the domain's A record address, there is no MX record and it listens on port 25. Even under those circumstances, because the web server doesn't speak SMTP those connection attempts would be silently ignored.
-
-
Zoredache over 11 yearsThe RFCs permit falling back to the A record if no MX record exists. en.wikipedia.org/wiki/MX_record#History_of_fallback_to_A
-
Zoredache over 11 yearsIf you are evil you could TARPIT the SMTP ports. >:)
-
HopelessN00b over 11 years@Zoredache Or for even more confusing evil, use someone else's SMTP server as your
MX record. -
Ssingh over 11 years@Zoredache haha i will do that :)) -
John Gardeniers over 11 yearsYes, let's add another broken DNS setup to the Internet.
-
John Gardeniers over 11 yearsTo quote your own comment "Bad mail admin! RFC violation".
-
poige over 11 years@Zoredache, it says in absence of MX.
-
poige over 11 years@JohnGardeniers, who cares? You? Why? Either you have better idea, or you have really horrifying visions of why mine would be too bad to ever think of. So, what's yours? Neither?
-
HopelessN00b over 11 years@JohnGardeniers Be fair. I did say I thought it was a lousy thing to do, and suggested a better, RFC-compliant solution as well. But we're not here to stop people from blowing their feet off, if that's what they decide the want to do, after having a chance to make a fully informed decision.
-
HopelessN00b over 11 years@poige Good thought with that draft, but unfortunately, it never went anywhere, so there's no "official" way to say
this domain doesn't accept email. -
poige over 11 years@HopelessN00b, yep. But as I already've said non-existent domain name would probably be the best fitted thing that "just works" (except for purists, of course [it would work for them too, but they won't admit it anyways ☺]).
-
Walf about 2 yearsThis covers whether the domain sends mail, not whether it can receive it.
