Make sure that domains that don’t send email can’t be used for spoofing.
Read this guidance from Common Technology Services (CTS) if you manage government IT.
Whether your domain is managed in-house or by a commercial provider, follow this guidance to configure domains that don’t send email to protect them from spoofing attacks. Unprotected domains can be used for email spoofing and phishing, enabling fraud and damaging trust in your organisation.
This guidance is for domains that:
- never send email
- previously sent email but don’t any more
Read our guide to securing government email to protect domains that do send email.
Configure your domain
Make these changes to your domain name system (DNS) record.
Create an SPF record with:
host or name: @ (if required)
and a DMARC record with:
host or name:
firstname.lastname@example.org with the email address that you want reports to be sent to.
If you want to protect a domain with subdomains that send email, you must:
- include a DMARC record and other anti-spoofing configurations on all subdomains by following the guidance to set up government email services securely
No DomainKeys Identified Mail (DKIM) record is required.
There is no assessment process for domains that don’t send email, but they are checked by the domain information tool and may be reviewed in the future. Where possible, mark domains as ‘no longer in use’ in the tool. You can request access to the tool using this form.
Request DNS changes
The table below shows who to contact to make changes to your public DNS records.
|Record type||Request changes from||DNS host|
|*.gsi.gov.uk, *.gsx.gov.uk, *.gse.gov.uk, *.gcsx.gov.uk, *.x.gsi.gov.uk||Vodafone via this PSN form||Vodafone|
|*.gov.uk||Your IT service provider||JANET|
|any other domains||Your IT service provider||Your DNS host|
Read more about protecting domains
Email email@example.com to:
- join the CTS review group
- provide feedback on CTS guidance
- submit ideas for solutions
- discuss how this guidance will help you use technology more efficiently and effectively
Return to the Common Technology Services page.
Published: 4 October 2016