[dmarc-discuss] DMARC and vanity domains

Marko Nix marko at tech-nicks.de
Fri Aug 25 12:20:13 PDT 2017


Hi Marc,

your idea is right in my opinion.

You do need a valid SPF (but may be a „-all“ thats your choice, because you don’t send for that domain mails) record. But no DKIM, because you don’t send emails.

But enough of talking, i think an example helps more:

Domain 1 (master)
_dmarc                          IN	TXT ("v=DMARC1; p=quarantine; sp=reject; fo=1; aspf=r; adkim=s;"
                                             "rua=mailto:dmarc at tech-nicks.de; ruf=mailto:dmarc at tech-nicks.de;")

Domain 2 (no real use)
@                       IN	TXT             "v=spf1 -all"
_dmarc                  IN	TXT             ("v=DMARC1; p=reject; sp=reject; fo=1; aspf=s; adkim=s;"
                                                 "rua=mailto:dmarc at tech-nicks.de; ruf=mailto:dmarc at tech-nicks.de;“)

But you have to allow other domains receiving reports. For me it is an other domain i own.

Domain 3 (where the reports go)
(its own dmarc record - left out because does not matter here)
tierheilpraxis-nix.de._report._dmarc IN TXT "v=DMARC1"
thp-nix.de._report._dmarc	IN	TXT "v=DMARC1“

So its that what you have written I think. Do not waste time on DKIM - you don’t send, you don’t need it.

Hope it helps.

Kind regards,
Marko

> Am 25.08.2017 um 19:22 schrieb Marc Luescher via dmarc-discuss <dmarc-discuss at dmarc.org>:
> 
> Hi there,
> 
> we are setting up a lot of vanity domains to make sure they can not be used for abuse.
> 
> main domain fresenius.com
> vanity 1 fressenius.com etc
> 
> My idea was to just to create a DMARC record like :
> v=DMARC1; p=reject; rua=mailto:716767a6 at mxtoolbox.dmarc-report.com,mailto:92ef88808ad6806 at rep.dmarcanalyzer.com,mailto:yjgni57k at ag.dmarcian.com;ruf=mailto:92ef88808ad6806 at for.dmarcanalyzer.com,mailto:yjgni57k at ag.dmarcian.com <mailto:92ef88808ad6806 at rep.dmarcanalyzer.com,mailto:yjgni57k at ag.dmarcian.com;ruf=mailto:92ef88808ad6806 at for.dmarcanalyzer.com,mailto:yjgni57k at ag.dmarcian.com>; sp=reject; fo=1;
> 
> for all newly registered vanity domians and to authorize it in the master domain. Would this be best practice or do we need for every vanity domain also a valid SPF and/or DKIM record to be fully compliant. I did not find any guideline how to do this.
> 
> Thank you
> 
> Marc
> 
> _______________________________________________
> dmarc-discuss mailing list
> dmarc-discuss at dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
> 
> NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20170825/24cff0c7/attachment.html>


More information about the dmarc-discuss mailing list