Parked domains and DMARC: your unused domain is a security risk

Most businesses own more domains than they use. The .com bought alongside the .co.uk, the old trading name kept out of sentiment, the hyphenated variant registered so nobody else could, the product name from a venture that never launched. They sit in a registrar account, renewing annually, sending nothing, doing nothing.

Except they are not doing nothing. Every one of them is a sender identity - and to the world’s mail servers, an unconfigured domain you own is exactly as spoofable as an unconfigured domain anyone owns. As covered in Domain spoofing explained, email’s design lets anyone write any domain on the envelope unless that domain’s owner has published records saying otherwise. Your parked domains have published nothing. They are free ammunition.

Why fraudsters love parked domains

From a criminal’s perspective, a business’s parked domains are often better than its main one:

They are plausible. An email from yourbusiness.com when you trade from yourbusiness.co.uk - or from the old trading name a long-standing client remembers - does not merely resemble your identity; it genuinely is a domain your business owns. A suspicious recipient who looks the domain up finds it registered to you. Every check a careful victim performs comes back reassuring.

They are unwatched. Your main domain at least has mail flowing, people who would hear about oddities, perhaps DMARC reporting. The parked domain has no mailboxes, no users, no reporting - abuse of it is invisible to you by default and indefinitely.

They are usually unprotected. Securing the main domain is a project people eventually get to. Securing the spares occurs to almost nobody - which is why the National Cyber Security Centre’s guidance is explicit that DMARC enforcement should cover all an organisation’s domains, including those that send no mail.

The lockdown: three records, five minutes

A non-sending domain is the easiest possible DMARC case: since no legitimate mail exists, nothing can break, and you can go straight to full enforcement. Three DNS records do it.

1. A null SPF record - declaring that no server anywhere is authorised to send for this domain:

v=spf1 -all

That is the entire record. No includes, no lookups - the published statement “this domain sends no email.”

2. A DMARC record at reject - instructing every receiving server to refuse anything claiming to come from the domain, and (optionally but sensibly) to send reports about attempts to your monitored address:

v=DMARC1; p=reject; sp=reject; rua=mailto:your-reporting-address

The sp=reject tag extends the policy to subdomains, closing the side windows as well as the door. The reporting address means that if anyone does try to spoof the parked domain, you hear about it - turning the domain from a blind spot into a tripwire.

3. An empty DKIM policy where you want belt and braces - a wildcard record signalling no valid signing keys exist. Optional; the first two records carry the protection.

No mail flow is affected, because there is no mail flow. There is no monitoring period, no staged rollout, no risk calculation. This is the rare security task with the risk profile of hanging a sign.

Why most businesses haven’t done it

Not difficulty - you have just read the entire procedure. The reasons are mundane: nobody thinks of parked domains as email assets at all; they live in a registrar account logged into once a year; and no incident announces the gap, because abuse of an unwatched domain is, by definition, unwatched. It is a five-minute job that loses to urgent things daily, indefinitely - until the day a client asks about an email from the old trading name, at which point it becomes very urgent indeed.

So: list your domains this week. Registrar account, accounts payable records for renewal charges, the colleague who handles the website. For each one that sends no mail, publish the records above. For your main domain, the journey is staged rather than instant - What is DMARC? covers the foundations - but the spares can be done before your coffee cools.

Check any domain, including the forgotten ones

SealedMail’s Free Domain Health Check works on parked domains as well as live ones - run it against any domain you own and the certificate will show exactly what is published, what is missing, and what an attacker would currently find. Free, by email, no sign-up. Subscribers monitoring multiple domains, parked included, are simply on the same flat £49 per domain per month - and a locked-down parked domain’s weekly report is usually the shortest, most satisfying read in email security: nothing claimed to be you; nothing got through.