Just because you have a domain that you don't use to send email, doesn't mean you don't need to protect yourself. For instance, let's say you own two domains, one called "AcceptPayments.example.com"
and the other called "MyStore.example.com"
You're a busy store and a well known brand that uses the email address called "email@example.com"
to process all your payments for the sales at your popular store. Your store domain doesn't send any mail.
An email scammer comes along and notices how your business uses emails and realizes that you set up your acceptpayments.example.com
with all the latest RFC Authentication methods (DKIM
, ETC) to help prevent email fraud. He then sees that you have another url that's not configured to send mail.
That email scammer then targets your non email sending domain by sending emails spoofing your non
email sending domain from address "Payments@MyStore.example.com"
and when other mail servers go to validate those emails, they notice that it doesn't have any
authentication and marks the email as neutral and it lands in your customers’ inbox, asking them to reset their password at a fake location. The customer thinks the email is from "MyStore.example.com"
, and clicks the link and proceeds to change their password on a site that's stealing your customers' passwords. This is one of many examples of email fraud committed on non
email sending domains.
How do I prevent this email sending from my domain?
The answer is simple; you need to setup SPF policies on all your non email sending domains. To do that you'll need to create a DNS entry.
Awesome, what syntax do I need to add to DNS?
Your SPF Record will look like this:
MyStore.example.com. IN TXT "v=spf1 -all"
The record above tells the incoming mail server to reject all emails from this domain.