DNS: Why are SPF and DMARC records needed for non-email domains?


I’ve just configured my first mailinabox server on Linode using an external DNS provider. Everything is working fine. Just have a question. The External DNS page in the Admin interface recommends setting SPF and DMARC records to prevent spoofing emails from certain domains like mta-sts, ns1, ns2, and www.

Of course, I agree that emails should not come from any of these domains, but why is it necessary to add SPF and DMARC records for these domains specifically? I don’t want email to come from an infinite number of other domains either, like kdfjkfd.mydomain.com (for example - non-existent domain), so why is it not necessary to add SPF and DMARC records for kdfjkfd as well? I’m sure there’s a reason; just trying to understand. Are these SPF and DMARC records needed for every domain that has a corresponding A or AAAA record defined, in order to prevent sending email from them?


Those “rules” exist because you need to create an email account when you followed the steps to create the mta-sts rules. And that creates A record which is “resolvable”.

Under each of those lines should have something like the following, which explains why records rules are added.

Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from

Your existing spf rule does not overwrite any dDNS (subdomains) records created.

box.mydomain.net TXT v=spf1 mx -all

Adding additional spf txt record should prevent spoofing from this subdomain.

mta-sts.mydomain.net TXT v=spf1-all

You should add same spf records for any subdomains in the future. Maybe you have a website domain e.g. dashboard.mydomain.com, when you create the A record you should create the same spf record to protect your domain.

This prevents spoofing. If someone uses spoofaccount@mta-sts.mydomain.net, mail servers that check the record will know that is not a valid sender.

Always worth saying that if you use the MIAB as your primary DNS, it will add these records automatically for you once you add the A/AAAA record. If you decide that you changed your mind and want to host email for that subdomain, just create an user/alias, and MIAB will take care of the DNS records for you in a snap of time. :slight_smile:

Thanks @daveteu and @davness! So in summary, for each subdomain with an A or AAAA record, I should also create corresponding SPF and DMARC records telling receiving mail servers that these subdomains are prohibited from sending email (unless of course I actually want to send email from those domains).

Got it!