Protect domains that don’t send email

Make sure that domains that don’t send email can’t be used for spoofing.

Read this guidance if you manage government IT.

Whether your domain is managed in-house or by a commercial provider, follow this guidance to configure domains that don’t send email to protect them from spoofing attacks. Unprotected domains can be used for email spoofing and phishing, enabling fraud and damaging trust in your organisation.

This guidance is for domains that:

  • never send email
  • previously sent email but don’t any more

Read our guide to securing government email to protect domains that do send email.

Configure your domain

Make these changes to your domain name system (DNS) record.

Create an SPF record with:

type: TXT

host or name: @ (if required)

value: v=spf1 -all

and a DMARC record with:

type: TXT

host or name: _dmarc

value: v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;,;

Replace with the email address that you want reports to be sent to.

If you want to protect a domain with subdomains that send email, you must:

No DomainKeys Identified Mail (DKIM) record is required.

There is no assessment process for domains that don’t send email, but they are checked by the domain information tool and may be reviewed in the future. Where possible, mark domains as ‘no longer in use’ in the tool. You can request access to the tool using this form.

Request DNS changes

The table below shows who to contact to make changes to your public DNS records.

Record type Request changes from DNS host
*, *, *, *, * Vodafone via this PSN form Vodafone
* Your IT service provider JANET
any other domains Your IT service provider Your DNS host

Read more about protecting domains

Find out more about email security standards. Read guidance on securing government email.

For more information contact

Published 4 October 2016