Secure an inactive domain from email spoofing attacks

#Azure #DNS #security #Exchange

Your organization may have a primary domain that's used for sending and receiving email (e.g., but you may also have other domains that aren't used for email routing (, You or another administrator may have setup SPF, DMARC, and DKIM records for these externally facing domains that handle email, but there is still a risk of email spoofing attacks on your non-sending domains.

Without SPF, DMARC, and DKIM records in your DNS, there's a potential for anyone to send email as if it comes from your domain. This can cause you a huge headache as an administrator to clean up and organizations can lose brand trust from customers if they receive these emails.

To prevent this spoofing attack, all you need to do is add 3 records to your DNS config for each domain. These records are used by the recipient's email server to verify whether the sender is authenticated to use the domain. If the record check fails, the message is rejected and the recipient doesn't receive the email.

Here are the records that are needed for each domain:

Record Type Name Value
TXT @ v=spf1 -all
TXT _dmarc v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s
TXT *._domainkey v=DKIM1; p=

You may also want to add an MX record to your DNS so that incoming email will also be rejected. This is not needed, but it could prevent your domain from receiving attempted incoming messages:

Record Type Name Priority Value
MX @ 0 null

In my environment, I have a domain that I'm only using for web traffic and shouldn't be sending out or receiving emails at I'm going to add these records to my DNS config to prevent spoofing attacks.

Before updating my DNS records, here is a screenshot from MXToolbox showing that I don't have any SPF, DMARC, or DKIM records configured for my domain:

Screenshot of MXToolbox with no secure SPF records

Inside Azure DNS, I'm going to add all four records to my domain:

Screenshot of Azure DNS with 4 new records

After a few minutes to wait for DNS servers to refresh, MXToolbox says that all of my DNS records are configured to block SPF attacks and reject incoming email:

Screenshot of MXToolbox with secure SPF records

By adding these 3 records, you can secure your organization's brand from the headaches that come from spoofed emails. If you're using Azure DNS, it's easy make these changes in the Portal.

EDIT: Azure has added support for zone files. I've added the records here that you can copy and paste into your deployment or into the DNS Zone after creation:

; MX Records
@	3600	IN	MX	0	null
; TXT Records
*._domainkey	3600	IN	TXT	"v=DKIM1; p="
@	3600	IN	TXT	"v=spf1 -all"
_dmarc	3600	IN	TXT	"v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s"


Footer image