[dmarc-discuss] DMARC and vanity domains

John Wilson jwilson at mail.agari.com
Fri Aug 25 13:19:48 PDT 2017


Marc,

Strictly speaking, you don't need the SPF record; however, I strongly
recommend you publish a "permit none" SPF record as many corporate gateways
that don't support DMARC (or don't have validation enabled) will still
block fraudulent messages based on an SPF record.

v=spf1 -all

Best Regards,
John

On Fri, Aug 25, 2017 at 12:20 PM, Marko Nix via dmarc-discuss <
dmarc-discuss at dmarc.org> wrote:

> Hi Marc,
>
> your idea is right in my opinion.
>
> You do need a valid SPF (but may be a „-all“ thats your choice, because
> you don’t send for that domain mails) record. But no DKIM, because you
> don’t send emails.
>
> But enough of talking, i think an example helps more:
>
> Domain 1 (master)
> _dmarc                          IN TXT ("v=DMARC1; p=quarantine;
> sp=reject; fo=1; aspf=r; adkim=s;"
>                                              "rua=mailto:dmarc at tech-nicks.
> de <dmarc at tech-nicks.de>; ruf=mailto:dmarc at tech-nicks.de
> <dmarc at tech-nicks.de>;")
>
> Domain 2 (no real use)
> @                       IN TXT             "v=spf1 -all"
> _dmarc                  IN TXT             ("v=DMARC1; p=reject;
> sp=reject; fo=1; aspf=s; adkim=s;"
>                                                  "rua=
> mailto:dmarc at tech-nicks.de <dmarc at tech-nicks.de>; ruf=
> mailto:dmarc at tech-nicks.de <dmarc at tech-nicks.de>;“)
>
> But you have to allow other domains receiving reports. For me it is an
> other domain i own.
>
> Domain 3 (where the reports go)
> (its own dmarc record - left out because does not matter here)
> tierheilpraxis-nix.de._report._dmarc IN TXT "v=DMARC1"
> thp-nix.de._report._dmarc IN TXT "v=DMARC1“
>
> So its that what you have written I think. Do not waste time on DKIM - you
> don’t send, you don’t need it.
>
> Hope it helps.
>
> Kind regards,
> Marko
>
> Am 25.08.2017 um 19:22 schrieb Marc Luescher via dmarc-discuss <
> dmarc-discuss at dmarc.org>:
>
> Hi there,
>
> we are setting up a lot of vanity domains to make sure they can not be
> used for abuse.
>
> main domain fresenius.com
> vanity 1 fressenius.com etc
>
> My idea was to just to create a DMARC record like :
>
> v=DMARC1; p=reject; rua=mailto:716767a6 at mxtoolbox.dmarc-report.com
> <716767a6 at mxtoolbox.dmarc-report.com>,mailto:92ef88808ad6806 at rep.
> dmarcanalyzer.com,mailto:yjgni57k at ag.dmarcian.com;ruf=
> mailto:92ef88808ad6806 at for.dmarcanalyzer.com,mailto:
> yjgni57k at ag.dmarcian.com
> <92ef88808ad6806 at rep.dmarcanalyzer.com,mailto:yjgni57k at ag.dmarcian.com;ruf=mailto:92ef88808ad6806 at for.dmarcanalyzer.com,mailto:yjgni57k at ag.dmarcian.com>;
> sp=reject; fo=1;
>
> for all newly registered vanity domians and to authorize it in the master
> domain. Would this be best practice or do we need for every vanity domain
> also a valid SPF and/or DKIM record to be fully compliant. I did not find
> any guideline how to do this.
>
> Thank you
>
> Marc
> _______________________________________________
> dmarc-discuss mailing list
> dmarc-discuss at dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
>
>
> _______________________________________________
> dmarc-discuss mailing list
> dmarc-discuss at dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20170825/ddea220a/attachment.html>


More information about the dmarc-discuss mailing list