Tip: make sure you set up SPF and DMARC for a new domain
In January 2026, I set up a new domain for an app and didn’t create any email-related records. I didn’t realize that was a mistake until my work computer started resolving the name to 0.0.0.0, blackholing my traffic to it.
The tool at EasyDMARC showed that my domain was “high risk”. The reason? People could use that domain to send bogus email because it didn’t have a DNS setup to prevent abuse.
What’s need in the setup?
- An SPF record for both the top-level domain and any subdomain (e.g. “www”). It’s a TXT record containing
v=spf1 -all - I also needed a TXT record in the domain called
_dmarcwith the valuev=DMARC1; p=reject; aspf=s; adkim=s;which says to reject…
Tip: make sure you set up SPF and DMARC for a new domain
In January 2026, I set up a new domain for an app and didn’t create any email-related records. I didn’t realize that was a mistake until my work computer started resolving the name to 0.0.0.0, blackholing my traffic to it.
The tool at EasyDMARC showed that my domain was “high risk”. The reason? People could use that domain to send bogus email because it didn’t have a DNS setup to prevent abuse.
What’s need in the setup?
- An SPF record for both the top-level domain and any subdomain (e.g. “www”). It’s a TXT record containing
v=spf1 -all - I also needed a TXT record in the domain called
_dmarcwith the valuev=DMARC1; p=reject; aspf=s; adkim=s;which says to reject all email from the domain. There are other frequently recommended settings to be able to find out who’s trying to send such mail, but I don’t care so much about that so I’m just rejecting the messages with no notice.