Are SPF needed for domains that do not send mails and do not have MX record?

domain-name-system email spam spf mx-record

15,556

Solution 1

No spf records are NOT required if your domain doesn't send emails

however for benefit of reducing the risk of spam mail coming from that domain setting the spf record of

"v=spf1 -all"

is good so that spf checking servers see this and automatically reject email from that domain

Solution 2

If you don't intend to send mail from this domain, why let anyone else to use it as they wish? But things have changed since this question was asked eight years ago. SPF can only protect your domain from being used as the envelope sender, but SPF can't protect the From: header.

I'd go even further by adding a DMARC alignment.

@       IN      TXT     "v=spf1 -all"
_dmarc  IN      TXT     "v=DMARC1; p=reject; aspf=s; adkim=s;"

All subdomains inherits the DMARC policy, but SPF isn't inherited by the subdomains. Therefore, you'd need to add a corresponding SPF record for every A record you have, too.

There's no need to publish any DKIM records as there's no-one signing the messages anyway.

I didn't add the rua= and ruf= because in this situation there shouldn't be any false positives to be fixed. If you are curious enough to collect data on how much this domain is used for spoofing, you can add e.g.

rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=0:d;

Solution 3

You don't strictly need to publish any SPF records at all, it is a voluntary system.

That said, if you do publish an SPF record, you can:

Help the Internet at large a tiny, tiny bit because it gives spammers one less domain to spoof. (Marginal benefit, but...)
Help preserve your domains 'reputation' by making it less likely to be spoofed in spam.
Proactively show that your domain isn't engaged in some MX-record-less hack yet still (by mistake perhaps) sending emails.

Update after OPs update: OK, so first off, it sounds a bit wrong that there are "many" domains on this IP and adding SPF for them all is difficult -- you shouldn't have domains you don't have a reasonable need for.

Regarding blacklisting: Generally, most IPs won't blacklist anyone for 'smaller' spam volumes. There is no way to say what criteria an ISP might blacklist on, since there are many different ISPs out there, and each is entitled to his own opinion. That said, if it came to blacklisting for you (unlikely), then the most likely targets are MX records and ranges of IP addresses.

Solution 4

You can add those SPF records and they will help prevent some of your concerns. SPF is always optional but nice to do.

UPDATE

As to the second part of your question, it sounds like the issue is really about how email works and how "banning" works.

OK
OK
It bounces the message. That is different than banning. There is a separate process that can result in listing the offending IP address, not of domainA, but of the sender's network IP address and potentially IP addresses also in the same network, in a blacklist.
See above.

Banning isn't done only by domain. Rather the offending network is where the battle is most frequently fought. It's generally a DNS mechanism but other methods exist in addition.

Your fear about affecting legitimate email from another domain really comes down to how that IP network behaves and whether it is generally spammy or not. Even getting banned is usually a temporary thing. You get listed on a blacklist and they you eventually get removed.

Stay ontop of any abuse emails from your ISP. This is a sign that someone is reporting you for spam and you may have some trouble.

Solution 5

It is a best practice to have a "does not send" SPF record (i.e. "v=spf1 -all") on every HOST within a domain that doesn't otherwise have a different SPF record -- as well as for the domain itself plus any non-host label in the domain that has MX or SMTP-service-SRV records. The idea is to permit detection that the host-part of a sending mailbox is forged, and for those idiots that don't check others' SPF records, that you have protected all possible labels in your domain that could be backscatter targets.

Is it optional? Not really if you want to avoid any potential for your domain(s) being abused.

View more solutions

15,556

Marco Demaio

Updated on September 18, 2022

Comments

Marco Demaio almost 2 years
I have some domains registered that do not send mails.

I have totally removed MX record for these domains on my DNS.

Is it still useful to set an SPF record in order to avoid spammer to send mails as these domains?

I read here that for domains that do not send mail the SPF record setting is always:

mydomain.it. TXT "v=spf1 -all"

This is the simplest possible SPF record: it means your domain mydomain.it never sends mail.

But do I still need to set these since I even removed the MX record?

What I'm afraid is that some spammer uses one of these domains (domainA) and sends spam, since domainA is on the same IP of domainB that DO sends mail, I'm afraid an ISP could ban as spam mails coming from such IP and therefor mail coming also from domainB will be banned too.

Thanks!

FYI: I'm using a cPanel account with dedicated IP to host domains the mail server usese the same dedicated IP

UPDATE: from answers below I understood that for this specific case, SPF are not needed except for helping the interent in recognizing immediately as spam a spoofed email address using one of those domains. But no one answerd to the last part of my question.
1. Spammer sends mail pretending to be [email protected]
2. domainA.com does not have MX record
3. ISP recognizes name@domainA is spam, does the ISP ban the IP of domainA, or just the domainA???
4. If ISP bans the IP of domainA, the poor domainB (with MX record) that DO sends email and it's on the same server IP would it get banned too, wouldn't it?
- JamesRyan about 12 years
  
  If 4. ever happened it would be trivial to get other people's domains banned. It doesn't work that way.
Marco Demaio almost 13 years

SPF record is not in place, not true it would take me nothing to add the record mydomain.it. TXT "v=spf1 -all", because I have many domains. Good idea about preserving the domain reputation, but what about other domains on same IP? (plz see my question update).
Marco Demaio almost 13 years

And what about other domains that DO sends mail on same server IP? (plz see my question update).
Marco Demaio almost 13 years

It's time consuming for many domains.
Marco Demaio almost 13 years

@Jasper Mrtensen: thanks for the update, about what you say you shouldn't have domains you don't have a reasonable need for I need those domains because I have customers that want them.
Esa Jokinen over 5 years

To protect your reputation I'd remind that this opinion has become a bit outdated. :)
FooBee over 5 years

@EsaJokinen: You are probably right :)
Esa Jokinen over 5 years

I've used to have "v=spf1 -all" + DMARC "v=DMARC1; p=reject; aspf=s; adkim=s;"on domains that are merely for some redirects or static web pages and were never intended for email, and shared that as a new answer here. (In my setups, there are MX servers that usually replies to every RCPT TO address with connection-stage reject having a human readable message "see site for contact information", but that's just a good customer services and too far away from what has been asked. :) )