Guidance

Protect domains that don’t send email

Make sure that domains that do not send email cannot be used for spoofing.

Read this guidance if you manage government IT and you want to protect domains which do not send email from spoofing attacks.

Criminals can use unprotected domains for email spoofing and phishing, making it easier to commit fraud and damage trust in your organisation.

This guidance is for domains which:

  • never send email like defensively registered domains or legacy domains
  • previously sent email but do not any more, such as gsi-family domains that are now cloud-based

Read our guide to securing government email to protect domains that do send email.

You only need access to your DNS records to make the changes in this guide.

Configure your domain

To protect your domain you need to create:

  • an SPF record that says you do not have any sending servers
  • a DMARC record to reject any email from your domain
  • an empty DKIM key record

You can make bulk changes at once and alter the settings if you later decide to start sending email from this domain.

Make these changes to your domain name system (DNS) records.

Create an SPF record with:

type: TXT

host or name: @ (if required)

value: v=spf1 -all

If you check your record using nslookup or dig you should get a result like this:

yourdomain.gov.uk. TXT “v=spf1 -all”
@ TXT “v=spf1 -all”
yoursubdomain.yourdomain.gov.uk. TXT “v=spf1 -all”

Create a DMARC record with:

type: TXT

host or name: _dmarc

value: v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;rua=mailto:dmarc-rua@dmarc.service.gov.uk,mailto:dmarc@yourdomain.gov.uk

Replace dmarc@yourdomain.gov.uk with the email address that you want reports to be sent to.

If you check your record using nslookup or dig you should get a result like this:

_dmarc TXT “v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;rua=mailto:dmarc-rua@dmarc.service.gov.uk,mailto:dmarc@yourdomain.gov.uk”

Create an empty DKIM record with:

type: TXT

host or name: *._domainkey

value: v=DKIM1; p=

As this is a wildcard record you cannot check it other than to look in your DNS host admin panel.

Revoke all existing DKIM selectors in both TXT and CNAME records.

This record will make email servers more likely to reject email from your domain.

If you do not send or receive from this domain create a null MX record with:

type: MX

host or name: leave this field empty

priority: 0

value: .

Note that some DNS providers do not support a null MX record, so do not worry if you cannot create this record.

Once you have made these changes you can check your domain is configured correctly in the NCSC Mail Check service.

Protect subdomains that send emails

You may have a domain that does not send email and a subdomain within that does send email. For example, gov.uk does not send email but cabinetoffice.gov.uk does send email.

If you want to protect subdomains that send email, you must:

Request DNS changes

The table below shows who to contact to make changes to your public DNS records.

Record type Scope Who to request changes from Authority
*.gsi.gov.uk
*.gsx.gov.uk
*.gse.gov.uk
*.gcsx.gov.uk
*.x.gsi.gov.uk
PSN-facing Contact Vodafone using this PSN form Vodafone
*.gsi.gov.uk
*.gsx.gov.uk
*.gse.gov.uk
*.gcsx.gov.uk
*.x.gsi.gov.uk
Internet-facing Contact Vodafone using this PSN form Vodafone
*.gov.uk PSN-facing Contact Vodafone using this PSN form Vodafone
*.gov.uk Internet-facing Your DNS Domain Registrar JISC
any other domains PSN-facing Contact Vodafone using this PSN form Vodafone
any other domains Internet-facing Your DNS Domain Registrar Various

Read more about protecting domains

You can find out more about protecting domains by reading the:

Published 4 October 2016
Last updated 18 February 2019 + show all updates
  1. Updated to give more detailed advice on configuring domains.

  2. First published.