Parked Domains (Null MX)

A parked domain is a domain that doesn't receive email. This includes domains registered to prevent cybersquatting, brand protection domains, or domains used only for websites without email functionality.

Even if your domain doesn't receive email, it can still be abused by attackers to send spoofed emails. Properly configuring parked domains prevents this abuse.

The Problem

Without proper configuration, attackers can:

• Send phishing emails appearing to come from your parked domain
• Damage your brand reputation
• Use your domain in spam campaigns
• Bypass spam filters by exploiting unconfigured domains

Null MX (RFC 7505)

The Null MX record is a standard way to explicitly declare that a domain does not accept email.

example.com.  IN  MX  0 .

This tells mail servers: "Don't even try to deliver email here—there are no mail servers."

How It Works

Sender                           Receiver
  │                                  │
  │  "I want to send to             │
  │   user@example.com"             │
  │ ────────────────────────────────>│
  │                                  │
  │                           Look up MX
  │                           for example.com
  │                                  │
  │                           Found: MX 0 .
  │                           (Null MX)
  │                                  │
  │  "550 Mail not accepted"        │
  │ <────────────────────────────────│
  │                                  │

The sender immediately knows not to deliver, without wasting resources trying to connect to a non-existent mail server.

Complete Parked Domain Configuration

For full protection, configure all of these DNS records:

1. Null MX Record

example.com.  IN  MX  0 .

Explicitly declares no mail servers exist.

2. SPF Record

example.com.  IN  TXT  "v=spf1 -all"

The -all (hard fail) means "no servers are authorized to send email for this domain."

3. DMARC Record

_dmarc.example.com.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@example.net"

Key points:

• p=reject tells receivers to reject any email claiming to be from this domain
• rua= should point to an address on a different domain that does receive email
• This helps you monitor if anyone is trying to abuse your domain

4. DKIM Wildcard (Optional)

*._domainkey.example.com.  IN  TXT  "v=DKIM1; p="

The empty p= value revokes all DKIM keys, explicitly stating no valid signatures exist.

Detection in MailShield

MailShield automatically detects parked domains through several methods:

Detection Method	Description
Null MX	Explicit MX 0 . record (RFC 7505)
No MX Records	Domain has no MX records configured
Unreachable MX	All MX hosts refuse connections or timeout
Unresolvable MX	MX hostnames don't resolve to IP addresses
Relay Denied	MX servers reject mail for the domain

When MailShield detects any of these conditions, it:

1. Recognizes the domain as a parked/non-email domain
2. Adjusts scoring appropriately
3. Provides recommendations if the configuration is incomplete

Scoring for Parked Domains

Parked domains are scored differently than active mail domains:

Component	Points	Requirement
MX	10	Null MX or intentional no-mail configuration (5 pts for detected non-receiving)
SPF	15	v=spf1 -all for full points (8 pts for ~all)
DMARC	Up to 25	p=reject (15 pts) or p=quarantine (10 pts), plus rua reporting (+5), plus MailShield reporting or ruf (+5)
DNSSEC	10	Optional but recommended

Features not applicable to parked domains (MTA-STS, TLS-RPT, BIMI, DANE) are excluded from scoring.

A well-configured parked domain can achieve a perfect score.

DMARC Reporting for Parked Domains

Even though your domain doesn't receive email, you should still configure DMARC reporting. This helps you:

• Detect if anyone is attempting to spoof your domain
• Identify misconfigured systems that might legitimately be sending as your domain
• Maintain visibility into domain abuse

Important

Since your parked domain has null MX (or no MX), the DMARC rua and ruf addresses must point to a different domain that can receive email.

_dmarc.parked.example.com.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@primary.example.com"

If sending reports to a different organizational domain, you may need to add an authorization record:

parked.example.com._report._dmarc.primary.example.com.  IN  TXT  "v=DMARC1"

Common Scenarios

Brand Protection Domains

You own mybrand.io but only use mybrand.com. Configure mybrand.io as a parked domain to prevent abuse.

Typosquatting Protection

You've registered mycomapny.com (typo of mycompany.com) to protect users from phishing. Configure it as a parked domain.

Expired Email Service

Your domain used to have email but no longer does. Convert it to a parked domain configuration rather than leaving old MX records pointing to nowhere.

Website-Only Domains

Your domain hosts a website but uses a third-party email service (like Google Workspace) on a different domain. If no email service exists on this domain, configure it as parked.

Migration from Active to Parked

If transitioning a domain from active email to parked:

1. Notify users about the email shutdown
2. Update SPF from listing authorized senders to -all
3. Update DMARC to p=reject (if not already)
4. Replace MX records with null MX (0 .)
5. Optionally add the DKIM wildcard revocation

TIP

Keep DMARC reporting active during and after the transition to monitor for any issues.

Best Practices

Do

• Use null MX for explicit "no email" signaling
• Always configure SPF with -all for parked domains
• Set DMARC to p=reject
• Keep DMARC reporting active to monitor abuse
• Regularly review DMARC reports for attempted spoofing

Don't

• Leave parked domains without email security records
• Use ~all (soft fail) for parked domains—use -all (hard fail)
• Forget to update DMARC rua to point to a working email address
• Assume "no MX records" is sufficient—use null MX for clarity

Next Steps

• Learn about SPF
• Learn about DMARC
• Learn about DNSSEC
• Why Email Security Matters