Member-only story
Adding defensive SPF records to GoDaddy
After reviewing a recent report from Security Scorecard, I noticed that I had findings for missing SPF records against a domain that wasn’t used for email transport. I open a ticket with them and complained that the domains they were flagging didn’t send email and didn’t have MX records. Below is the response I received.
The link that Security Scorecard provides was interesting.
The M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group) recommends that domains that never send email, including parked domains, should publish a SPF TXT record of “v=spf1 -all”.
Though the above quote references the M3AAWG recommendations, it looks like some savvy admin’s knew some time ago that this was the right approach even if it’s only a small step. I wasn’t aware that SPF records could be used in this manner. Now that I knew what I needed to do, I needed to figure out a way to update all of our domains that didn’t send email.
