January, 2026 – Graham Miln

Setting up domains without e-mail

If you manage a domain name that does not send or receive e-mail, add Domain Name System (DNS) records to declare this. These records reduce the chances of your domain being seen as a source of spam and spoofing.

The DNS records to add include:

DNSControl is an open source tool for managing domain name records. It offers JavaScript based configuration of domains and registrars. I recently adopted this tool for my domains and have found it helpful, if rough around the edges.

For a single domain, the following dnsconfig.js creates the recommended records:

var REG_NONE = NewRegistrar("none");
var DNS_BIND = NewDnsProvider("bind");

D("example.com", REG_NONE, DnsProvider(DNS_BIND),
  A("@", "1.2.3.4"),
  MX("@", 0, "."),
  DMARC_BUILDER({
    policy: "reject",
    subdomainPolicy: "reject",
    alignmentSPF: "strict",
    alignmentDKIM: "strict",
  }),
  DKIM_BUILDER({
    selector: "*",
  }),
  SPF_BUILDER({
    parts: [
      "v=spf1",
      "-all", // reject all mail claiming to be from this domain
    ],
  }),
);

If you manage many domains, taking advantage of the programmable nature of the configuration format is worthwhile.

The JavaScript function below, NO_EMAIL, creates these no e-mail records for a domain:

function NO_EMAIL(name) {
  return [
    // https://www.rfc-editor.org/rfc/rfc7505#section-3
    MX(name, 0, "."),

    DMARC_BUILDER({
      label: name,
      policy: "reject",
      subdomainPolicy: "reject",
      alignmentSPF: "strict",
      alignmentDKIM: "strict",
    }),
    DKIM_BUILDER({
      label: name,
      selector: "*",
    }),
    SPF_BUILDER({
      label: name,
      overflow: "_spf%d",
      parts: [
        "v=spf1",
        "-all", // reject all mail claiming to be from this domain
      ]
    })
  ]
}

var REG_NONE = NewRegistrar("none");
var DNS_BIND = NewDnsProvider("bind");

// Domains that do not send or receive e-mail
D("example.com", REG_NONE, DnsProvider(DNS_BIND),
  A("@", "1.2.3.4"),
  NO_EMAIL("@")
)

D("example.org", REG_NONE, DnsProvider(DNS_BIND),
  A("@", "1.2.3.5"),
  NO_EMAIL("@")
)

See UK Government’s Protecting parked domains for the UK public sector and CloudFlare’s How to protect domains that do not send email for more about why this matters.