S
SPF Creator

SPF Records for Parked Domains and Non-Sending Domains

Learn why every domain you own needs an SPF record -- even if it never sends email. Protect parked domains from spoofing with a null SPF record.

You own several domains. Maybe you bought them to protect your brand, or you're holding them for future projects. They don't have mailboxes, they don't send newsletters, they don't do anything. So you don't need SPF records for them, right?

Wrong. Parked domains without SPF records are one of the easiest targets for email spoofing. Attackers specifically seek out unprotected domains because there's nothing stopping them from sending fraudulent email that appears to come from your domain. And when they do, the reputation damage lands on you.

Why Attackers Target Parked Domains

When a domain has no SPF record, receiving mail servers have no way to verify whether an email claiming to be from that domain is legitimate. There's no policy to check against. Some servers will accept the message, others might flag it -- but none can definitively reject it based on SPF.

Attackers know this. They scan for domains without SPF records and use them in phishing campaigns, spam runs, and business email compromise attacks. Your parked domain -- the one you haven't thought about in two years -- could be sending thousands of phishing emails right now.

A domain with no SPF record is more vulnerable than a domain with a permissive SPF record. At least a permissive record gives receivers something to evaluate. No record means no protection at all.

The Null SPF Record

The fix takes about thirty seconds. You publish a "null" SPF record that explicitly says this domain does not send email:

v=spf1 -all

That's it. This record contains no include, ip4, mx, or a mechanisms -- just a hard fail (-all). It tells every receiving mail server in the world that no server is authorized to send email from this domain. Any email claiming to come from it should be rejected.

This is the simplest and most effective SPF record you can create. Use the free SPF record generator to build it, or just type it directly into your DNS as a TXT record on the root domain (@).

Add DMARC Too

An SPF record alone isn't enough for complete protection. You should also add a DMARC record that tells receivers to reject any email that fails authentication:

v=DMARC1; p=reject; rua=mailto:[email protected]

The p=reject policy instructs receiving servers to drop any email that doesn't pass SPF or DKIM checks. For a domain that never sends email, this is exactly what you want -- reject everything. You can set up a DMARC record using DMARC Creator.

For parked domains, go straight to p=reject. The usual advice to start with p=none and gradually tighten applies to active sending domains. Since a parked domain has no legitimate email to worry about, there's no reason to start permissive.

Don't Forget the Null DKIM

For thorough protection, add an empty DKIM record as well. Publish a DKIM TXT record with an empty p= value on a wildcard selector:

*._domainkey.yourdomain.com TXT "v=DKIM1; p="

This tells receivers that no DKIM keys exist for this domain. Combined with SPF -all and DMARC p=reject, you've locked the domain down completely. Learn more about DKIM setup at DKIM Creator.

How to Audit All Your Domains

If you've been buying domains for years, you might not even remember all of them. Here's how to find and protect every domain you own.

1

List every domain you own

Log in to each registrar you've used -- GoDaddy, Namecheap, Cloudflare, Google Domains, and any others. Export or write down every domain, including ones you forgot about. Check your email for renewal notices to catch domains on registrars you don't remember.

2

Check each domain for existing SPF records

Use SPF Record Check to look up every domain on your list. Note which ones have SPF records and which don't.

3

Categorize each domain

Sort your domains into two buckets: domains that actively send email (your main business domain, for example) and domains that don't send email at all. The non-sending domains get the null SPF treatment.

4

Add null SPF records to every non-sending domain

For each parked or non-sending domain, add a TXT record with v=spf1 -all. This takes less than a minute per domain in most DNS dashboards.

5

Add DMARC reject policies to every non-sending domain

Add a TXT record on _dmarc.yourdomain.com with v=DMARC1; p=reject; for each parked domain.

6

Verify everything

Run each domain through SPF Record Check again to confirm the records are published and valid.

Why Registrar "Parked" Pages Don't Protect You

When you buy a domain and don't set up hosting, your registrar might display a generic "parked" or "this domain is for sale" page. Some people assume this means the domain is somehow protected. It isn't.

A parked page is just a web page. It has nothing to do with email authentication. The registrar doesn't automatically add SPF, DKIM, or DMARC records to your domain. Unless you've explicitly added those DNS records yourself, the domain is wide open for spoofing.

Some registrars add a basic MX record pointing to their own mail servers or a "catch-all" setup. This can actually make things worse -- it suggests the domain handles email, but without SPF there's no enforcement of who's allowed to send.

Even if your registrar advertises "email protection" or "domain privacy" features, these don't include SPF records. Domain privacy hides your WHOIS information. SPF protects against email spoofing. They're completely different things.

The Complete Parked Domain DNS Setup

For any domain that should never send email, publish these three TXT records:

SPF (on root domain @):

v=spf1 -all

DMARC (on _dmarc subdomain):

v=DMARC1; p=reject; rua=mailto:[email protected]

DKIM (on *._domainkey subdomain):

v=DKIM1; p=

Together, these records tell the entire email ecosystem that this domain does not send email and any message claiming to come from it is fraudulent.

Make It Part of Your Domain Buying Process

Every time you register a new domain, add the null SPF record and DMARC reject policy immediately -- even if you plan to build something on it later. It takes two minutes and protects you from day one. When you're ready to actually send email from the domain, you can update the SPF record with the appropriate include mechanisms. Until then, -all keeps you safe.

Set a quarterly reminder to review your domain portfolio with Deliverability Checker. Domains you forgot about are domains attackers haven't.

Related Articles

Never miss an SPF issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring