Marc, Strictly speaking, you don't need the SPF record; however, I strongly recommend you publish a "permit none" SPF record as many corporate gateways that don't support DMARC (or don't have validation enabled) will still block fraudulent messages based on an SPF record.
v=spf1 -all Best Regards, John On Fri, Aug 25, 2017 at 12:20 PM, Marko Nix via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > Hi Marc, > > your idea is right in my opinion. > > You do need a valid SPF (but may be a „-all“ thats your choice, because > you don’t send for that domain mails) record. But no DKIM, because you > don’t send emails. > > But enough of talking, i think an example helps more: > > Domain 1 (master) > _dmarc IN TXT ("v=DMARC1; p=quarantine; > sp=reject; fo=1; aspf=r; adkim=s;" > "rua=mailto:dmarc@tech-nicks. > de <dm...@tech-nicks.de>; ruf=mailto:dm...@tech-nicks.de > <dm...@tech-nicks.de>;") > > Domain 2 (no real use) > @ IN TXT "v=spf1 -all" > _dmarc IN TXT ("v=DMARC1; p=reject; > sp=reject; fo=1; aspf=s; adkim=s;" > "rua= > mailto:dm...@tech-nicks.de <dm...@tech-nicks.de>; ruf= > mailto:dm...@tech-nicks.de <dm...@tech-nicks.de>;“) > > But you have to allow other domains receiving reports. For me it is an > other domain i own. > > Domain 3 (where the reports go) > (its own dmarc record - left out because does not matter here) > tierheilpraxis-nix.de._report._dmarc IN TXT "v=DMARC1" > thp-nix.de._report._dmarc IN TXT "v=DMARC1“ > > So its that what you have written I think. Do not waste time on DKIM - you > don’t send, you don’t need it. > > Hope it helps. > > Kind regards, > Marko > > Am 25.08.2017 um 19:22 schrieb Marc Luescher via dmarc-discuss < > dmarc-discuss@dmarc.org>: > > Hi there, > > we are setting up a lot of vanity domains to make sure they can not be > used for abuse. > > main domain fresenius.com > vanity 1 fressenius.com etc > > My idea was to just to create a DMARC record like : > > v=DMARC1; p=reject; rua=mailto:71676...@mxtoolbox.dmarc-report.com > <71676...@mxtoolbox.dmarc-report.com>,mailto:92ef88808ad6806@rep. > dmarcanalyzer.com,mailto:yjgni...@ag.dmarcian.com;ruf= > mailto:92ef88808ad6...@for.dmarcanalyzer.com,mailto: > yjgni...@ag.dmarcian.com > <92ef88808ad6...@rep.dmarcanalyzer.com,mailto:yjgni...@ag.dmarcian.com;ruf=mailto:92ef88808ad6...@for.dmarcanalyzer.com,mailto:yjgni...@ag.dmarcian.com>; > sp=reject; fo=1; > > for all newly registered vanity domians and to authorize it in the master > domain. Would this be best practice or do we need for every vanity domain > also a valid SPF and/or DKIM record to be fully compliant. I did not find > any guideline how to do this. > > Thank you > > Marc > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > > > > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) >
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)