Make sure that domains that don’t send email can’t be used for spoofing.
Read this guidance if you manage government IT.
Whether your domain is managed in-house or by a commercial provider, follow this guidance to configure domains that don’t send email to protect them from spoofing attacks. Unprotected domains can be used for email spoofing and phishing, enabling fraud and damaging trust in your organisation.
This guidance is for domains that:
- never send email
- previously sent email but don’t any more
Read our guide to securing government email to protect domains that do send email.
Configure your domain
Make these changes to your domain name system (DNS) record.
Create an SPF record with:
host or name: @ (if required)
and a DMARC record with:
host or name:
email@example.com with the email address that you want reports to be sent to.
If you want to protect a domain with subdomains that send email, you must:
- include a DMARC record and other anti-spoofing configurations on all subdomains by following the guidance to set up government email services securely
No DomainKeys Identified Mail (DKIM) record is required.
There is no assessment process for domains that don’t send email, but they are checked by the domain information tool and may be reviewed in the future. Where possible, mark domains as ‘no longer in use’ in the tool. You can request access to the tool using this form.
Request DNS changes
The table below shows who to contact to make changes to your public DNS records.
|Record type||Request changes from||DNS host|
|*.gsi.gov.uk, *.gsx.gov.uk, *.gse.gov.uk, *.gcsx.gov.uk, *.x.gsi.gov.uk||Vodafone via this PSN form||Vodafone|
|*.gov.uk||Your IT service provider||JANET|
|any other domains||Your IT service provider||Your DNS host|
Read more about protecting domains
For more information contact firstname.lastname@example.org
Published: 4 October 2016