Important reminder! How to protect domains from spam, blacklisting, and suspension?
We remind you to add SPF / DKIM / DMARC records to your name servers to prevent from sending spam on behalf of your domain.
Without anti-spam policies, anyone can send emails on behalf of your domain.
Note: You can check your domain email authentication records at https://mxtoolbox.com/SuperTool.aspx
Note: You can check your domain spam-listings at:
- https://check.spamhaus.org
- https://mxtoolbox.com/blacklists.aspx
- https://virustotal.com/gui/home/url
- https://urlvoid.com
Instruction for Protecting Non-Sending Domains from anti-spam RBLs (Spamhaus DBL, SURBL, etc.)
To prevent your domain from being blacklisted by RBLs (Spamhaus DBL, SURBL, etc.), you must ensure that no one can spoof your domain to send spam.
If your domain is used to send email, be sure to create valid SPF/DKIM/DMARC records with values that allow only you to send email to prevent third parties from sending spam on behalf of your domain.
If your domain is not used to send email, by configuring your DNS records to explicitly "deny" all email traffic, you protect the reputation of both your main domain and all of its subdomains.
Essential DNS Configuration
The goal is to tell receiving mail servers that any email appearing to come from your domain is fraudulent and should be rejected immediately:
- SPF (Sender Policy Framework): Declares that no IP addresses are authorized to send mail for your domain.
- DKIM (DomainKeys Identified Mail): A "placeholder" record that informs servers no valid DKIM keys exist for this domain or its subdomains.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): The most critical instruction, telling servers to reject any mail that fails SPF/DKIM checks for the main domain and all subdomains.
If the domain is not used for receiving mail, it is also recommended to add Null MX record too:
- Null MX: Explicitly signals that the domain does not receive any email; it's recommended to explicitly specify that the domain cannot accept email - this will prevent spammers from using your email for return addresses (bounce messages).
| Type | Host / Subdomain | Value (Text) | Description |
|---|---|---|---|
| TXT | @ | v=spf1 -all |
SPF: Hard fail. Prohibits any server from sending mail. |
| TXT | * | v=spf1 -all |
Wildcard SPF: Prohibits mail sending from any and all subdomains. |
| TXT | *._domainkey | v=DKIM1; p= |
Wildcard DKIM: Explicitly invalidates DKIM keys for all selectors and subdomains. |
| TXT | _dmarc | v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:[email protected] |
DMARC: Rejects unauthorized mail and sends aggregate reports for monitoring. |
| MX | @ | 0 . |
Null MX: Signals that the domain does not accept email (RFC 7505). |
Why this prevents blacklisting:
- Eliminates Spoofing: Spamhaus DBL and SURBL lists domains found in spam messages. With these records, spoofed emails are rejected by major providers (Gmail, Outlook) before they can impact your domain's reputation.
- Proactive Security: By setting a strict p=reject policy, you demonstrate to security filters that the domain is professionally managed and not an open target for hijackers.
- Subdomain Coverage: Using the sp=reject tag and the *._domainkey wildcard ensures that spammers cannot bypass your protection by using "random" subdomains.
Note: If your domain is linked to a proxy or VPN server, also be sure to block outgoing SMTP connections (especially to port 25, which is commonly used by spammers, but 465 and 587 recommended too) on server.
Server-Side Firewall Configuration (UFW):
sudo ufw deny out 25,465,587/tcp# Enable the firewall:
sudo ufw enableNote: To reduce the risk of domain suspension we recommend activating the Domain Protect + service with the blacklist monitoring option.