For Defensive domains, should I have DNS entries with DMARC and SPF records, or is it better to have no DNS entry at all?

The answer to this can depend on how convoluted, long, or closely related to a realistic brand name that the domain has. Those factors can influence how likely these domains are to be used in spoofed messages.
Granted, there are some receivers who reject message deliveries on the basis of an entire lack of DNS resolution. But there are more who will reject messages on the basis of their having an SPF of a nonpermissive "v=spf1 -all" and/or a DMARC-reject policy.
Furthermore, the receivers who do reject messages on the basis of a lack of DNS resolution will very likely do it on the basis of the RFC5321 mail-from domain, not the RFC5322 From: header domain which DMARC helps protect and report on.

To elucidate this last point: I could send email which passes SPF with my own domain, but makes use of your Defensive domain in the visible From: header.
This is unlikely to be rejected on the basis of your domain, and you are unlikely to know very well whether or not this is going on, without making use of DMARC.

Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk