I have some domains registered that do not send mails.
I have totally removed MX record for these domains on my DNS.
Is it still useful to set an SPF record in order to avoid spammer to send mails as these domains?
I read here that for domains that do not send mail the SPF record setting is always:
mydomain.it. TXT "v=spf1 -all"
This is the simplest possible SPF record: it means your domain mydomain.it never sends mail.
But do I still need to set these since I even removed the MX record?
What I'm afraid is that some spammer uses one of these domains (domainA) and sends spam, since domainA is on the same IP of domainB that DO sends mail, I'm afraid an ISP could ban as spam mails coming from such IP and therefor mail coming also from domainB will be banned too.
Thanks!
FYI: I'm using a cPanel account with dedicated IP to host domains the mail server usese the same dedicated IP
UPDATE: from answers below I understood that for this specific case, SPF are not needed except for helping the interent in recognizing immediately as spam a spoofed email address using one of those domains. But no one answerd to the last part of my question.
- Spammer sends mail pretending to be [email protected]
- domainA.com does not have MX record
- ISP recognizes name@domainA is spam, does the ISP ban the IP of domainA, or just the domainA???
- If ISP bans the IP of domainA, the poor domainB (with MX record) that DO sends email and it's on the same server IP would it get banned too, wouldn't it?
No spf records are NOT required if your domain doesn't send emails
however for benefit of reducing the risk of spam mail coming from that domain setting the spf record of
is good so that spf checking servers see this and automatically reject email from that domain
If you don't intend to send mail from this domain, why let anyone else to use it as they wish? But things have changed since this question was asked eight years ago. SPF can only protect your domain from being used as the envelope sender, but SPF can't protect the
From:
header.I'd go even further by adding a DMARC alignment.
All subdomains inherits the DMARC policy, but SPF isn't inherited by the subdomains. Therefore, you'd need to add a corresponding SPF record for every
A
record you have, too.There's no need to publish any DKIM records as there's no-one signing the messages anyway.
I didn't add the
rua=
andruf=
because in this situation there shouldn't be any false positives to be fixed. If you are curious enough to collect data on how much this domain is used for spoofing, you can add e.g.You don't strictly need to publish any SPF records at all, it is a voluntary system.
That said, if you do publish an SPF record, you can:
Update after OPs update: OK, so first off, it sounds a bit wrong that there are "many" domains on this IP and adding SPF for them all is difficult -- you shouldn't have domains you don't have a reasonable need for.
Regarding blacklisting: Generally, most IPs won't blacklist anyone for 'smaller' spam volumes. There is no way to say what criteria an ISP might blacklist on, since there are many different ISPs out there, and each is entitled to his own opinion. That said, if it came to blacklisting for you (unlikely), then the most likely targets are MX records and ranges of IP addresses.
You can add those SPF records and they will help prevent some of your concerns. SPF is always optional but nice to do.
UPDATE
As to the second part of your question, it sounds like the issue is really about how email works and how "banning" works.
Banning isn't done only by domain. Rather the offending network is where the battle is most frequently fought. It's generally a DNS mechanism but other methods exist in addition.
Your fear about affecting legitimate email from another domain really comes down to how that IP network behaves and whether it is generally spammy or not. Even getting banned is usually a temporary thing. You get listed on a blacklist and they you eventually get removed.
Stay ontop of any abuse emails from your ISP. This is a sign that someone is reporting you for spam and you may have some trouble.
It is a best practice to have a "does not send" SPF record (i.e. "v=spf1 -all") on every HOST within a domain that doesn't otherwise have a different SPF record -- as well as for the domain itself plus any non-host label in the domain that has MX or SMTP-service-SRV records. The idea is to permit detection that the host-part of a sending mailbox is forged, and for those idiots that don't check others' SPF records, that you have protected all possible labels in your domain that could be backscatter targets.
Is it optional? Not really if you want to avoid any potential for your domain(s) being abused.
No, you don't need it. If you aren't running an SMTP server, no spammer can contact your server. But you could leave it, so others can check your domain records when deciding if they deal with spam.
If you have the time, it would be best to have SPF records on all your domains, even if it's just the fail all record. If you don't, then add an SPF record only to those domains that you do send mail from.
If a spammer fakes your domain or IP, the SPF record will help minimize the damage--and signing with DKIM would do even better--but there's nothing at present that will completely prevent there being some damage to your domain reputation. You just have to be ready to repair it by contacting any ISPs that might block your mail as a result--which I must say is very unlikely unless someone is specifically targeting you. (There are delivery consultants out there who can help with the repairing, too.)
Even though domain reputation is becoming more important, many ISPs still block mail based on IP addresses. They also block mail containing domains (not just from, but having the domain anywhere in the email) with poor reputations. So the answer is yes, having domainA blocked can affect domainB if they send through the same IP address or domainA is contained in mail sent from domainB.