MX record for domain with no mail NULL MX record

Not 100 % sure but.
Info:

Von RFC7505 Abschnitt 3:

  1. MX Resource Records Specifying Null MXTo indicate that a domain does not accept email, it advertises a single MX RR (see Section 3.3.9 of [RFC1035]) with an RDATA section consisting of preference number 0 and a zero-length label, written in master files as “.”, as the exchange domain, to denote that there exists no mail exchanger for a domain. Since “.” is not a valid host name, a null MX record cannot be confused with an ordinary MX record. **The use of “.” as a pseudo-hostname meaning no service available is modeled on the SRV RR [RFC2782] where it has a similar meaning.**A domain that advertises a null MX MUST NOT advertise any other MX RR.

So there you set the MX 0 a dot . ?

Then it should be good to also set this SPF?

A simple TXT record will do this for you, set the SPF records to have a null value with a hard fail:

@ IN TXT “v=spf1 -all”

  • IN TXT “v=spf1 -all”

That’s how I ensure a domain can’t be phished that I use to internal or non-mail services.

For this:

. Domains that do not send mail

An SMTP server when presented with an “I never accept email” MX might decline to accept such email as it knows that a response or non-delivery notice will never be accepted, and that legitimate mail rarely comes from domains that do not accept replies.

SMTP servers that reject mail because a MAIL FROM domain has a NULL MX record should use a 550 reply code.

Although NULL MX may imply that a domain sends no mail, it does not sat so explicitly. Operators may want to publish SPF [RFC4408] -ALL policies to make an explicit statement.

I can confirm the SPF record. Yes, TXT “v=spf -all” is crucial. Without that, bad guys can SPOOF your email, sending as if they are you.

Our email server never sends email as itself, nor even as its domain. That SPF record is what cleaned up a major amount of RBL blocking… because people were spoofing us.

We do keep a real MX record for that domain – that’s only for incoming postmaster messages.

There’s no standard suggesting that lack of MX means you don’t SEND email. That’s why SPF is important.

2 Likes