DMARC for non sending domains

Do I need DMARC if I do not send email from this domain?
Domain Check

Check your domain for DMARC, DKIM, SPF and MX records. Get a free report.
Articles
Tags
Published: January 08, 2026

Yes. You still need DMARC even if you are not sending email from a domain. Not sending email does not protect you. It does the opposite. Domains without DMARC are easier to abuse and harder to defend.

This is one of the most common and costly misunderstandings around email authentication.

 

How email spoofing works for non email sending domains

 

Email spoofing does not require access to your systems. An attacker does not need your mail server. They only need your domain name.

Anyone on the internet can create an email that claims to be from your domain in the visible sender field. If your domain has no DMARC policy, receiving mail systems have no clear instruction on how to handle that message.

The result. Fake emails can be sent in your name even if you never send a single legitimate email.

This is why the question Do I need DMARC if I do not send email has a clear answer. Yes.

 

Realistic abuse scenarios you should expect

 

  • Brand impersonation. Attackers send invoices or support messages that look like they come from your company domain. Customers trust the name and act.

  • CEO fraud. A parked or unused domain is used to send payment requests to finance teams or partners. The email looks internal. The damage happens fast.

  • Phishing from lookalike domains. You may protect your main domain but forget defensive domains or redirects. Attackers choose the weakest one.

These attacks work best against domains that are quiet. No mail history. No enforcement. No visibility.

 

What happens technically when no DMARC record exists

 

When there is no DMARC record, your domain publishes no policy. Mailbox providers receive no instruction on how to treat messages that claim to be from your domain. There is no enforcement. No consistent handling and reporting. That means bad actors can send emails in your name to whoever they wish and harm your reputation and brand authority.

 

What mailbox providers do in this case

 

Mailbox providers fall back to their own internal rules. Some messages are delivered. Some are marked as spam. Some are blocked. You have no visibility into abuse and no control over the outcome.

 

When p=reject is the right starting point

 

For domains that never send email, p=reject can be the right starting point.

If a domain has no legitimate outbound email, there is nothing to protect from delivery impact. Setting p=reject immediately tells mailbox providers to block any message that claims to be from this domain and fails authentication.

This is the strongest form of protection against spoofing and impersonation for parked, unused, or defensive domains.

Even with p=reject, monitoring still matters. You should always configure a destination for DMARC reports using the rua tag. This gives you visibility into attempted abuse and confirms that no legitimate traffic exists.

 

Clear recommendation

 

If you own a domain, publish a DMARC record. For non sending domains, start with p=reject and set a target for DMARC Reports. For sending domains start with p=none to start monitoring your emails before moving to a stricter policy.

Example: v=DMARC1; p=reject; rua=mailto:youremail@domain.com

 

Next step

 

Check if your domain has a published DMARC record and how to proceed with our DMARC Checker.

Connect your domain to our system and we collect and analyze your DMARC reports so you are always up to date with the next steps. If you have a non sending domain follow the steps for "parked domains" in the domain configuration.

Bulletproof emails with DMARC

Check domain and follow the instructions to nail down your DMARC configuration.
No expert knowledge needed!