Defaults.Exposed › Taisymai › Guides
That Old Domain From Your Rebrand Is a Door You Left Open — How to Lock Domains That Send No Email (2026)
Paskelbta 2026-07-08
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains — we never publish an individual domain’s results. See how we grade.
A domain that never sends email can still be used to send email as your business — fake invoices, supplier requests, payroll changes — unless its DNS says otherwise. Three free records lock it shut, about ten minutes per domain. 46.4% of domains have no SPF record at all, according to the Defaults.Exposed census of 261,086,232 domains (as of 2026-06-29).
The fix is short and free: for each domain you own but never send from, publish three small DNS records (plus an optional fourth) that tell the world’s mail systems “nobody may send as this domain, reject anything that tries, and it receives no mail either.” This guide gives you the exact records, how to find the domains you’ve forgotten, and what to hand your IT person.
Which domains are we talking about?
Almost every business over a few years old has them:
- The old name. You rebranded in 2014 and kept the old domain “so nobody else gets it.” It still renews on someone’s credit card; nobody has looked at it since.
- The defensive registrations. The
.comyou bought alongside your.ieor.de, the hyphenated version, the common misspelling. - The agency’s registrations. A campaign domain a marketing agency registered on your behalf years ago — possibly not even in your registrar account.
- The domain that just redirects. It points visitors at your real website, so it feels handled. It isn’t: the web redirect does nothing about email.
None of these domains send email. All of them can — to a receiving mail server, a domain with no email records isn’t “closed,” it’s “unclaimed.” Anyone can put your old name in the From line of a fraudulent email, and the receiver has been given no reason to refuse it.
Why can a domain that sends nothing be used to send email as me?
Email was built on trust: by default, any server anywhere may claim to send on behalf of any domain. The records that revoke that trust only work if someone publishes them — and on a parked domain, nobody ever has. Your live domain probably got some of this at email setup; the domain from the rebrand got nothing.
The numbers say how normal this is. Of the 261,086,232 domains graded in the Defaults.Exposed census (as of 2026-06-29), 46.4% publish no SPF record at all, and 89.41% have no enforced DMARC policy — the setting that tells receivers to reject impostors. Parked domains sit at the far end of that curve: nobody set up email on them, so nobody ever published the records that close the door.
And the old name is a better disguise than a random lookalike: an invoice “from” the name your clients knew you by for a decade doesn’t raise an eyebrow — the scenario in that invoice-fraud story you heard — could it happen to your firm?. If you suspect it’s already happening, start with is someone sending email pretending to be you?.
What records lock a domain that sends no email?
The complete lockdown set: a ten-minute job per domain, every record free, no email service required — just access to the domain’s DNS settings.
| Record | Where it goes | Value | What it tells the world |
|---|---|---|---|
| SPF | TXT record at the domain itself | v=spf1 -all | Nobody, anywhere, is authorised to send email as this domain |
| DMARC | TXT record at _dmarc.yourolddomain.com | v=DMARC1; p=reject; rua=mailto:[email protected] | Reject anything claiming to be this domain — and send me a report so I see the attempts |
| Null MX | MX record at the domain, priority 0, value . | MX 0 . (RFC 7505) | This domain receives no mail — don’t even try to deliver here |
| DKIM revocation (optional) | TXT record at *._domainkey.yourolddomain.com | v=DKIM1; p= | Any email signature claiming to be from this domain is revoked |
The first three are the set; the fourth is belt-and-braces. The DMARC report address (rua) is the difference between a locked door and a locked door with a camera: if someone tries to send as your old domain, the reports are how you find out.
How do I lock down a parked domain?
- Scan each domain free at defaults.exposed first — two minutes each shows exactly which records are missing before anyone touches DNS.
- Log in to DNS for that domain — usually the registrar’s control panel. If the agency registered it, this step is an email to the agency.
- Add the SPF record: a TXT record at the domain itself with the value
v=spf1 -all. There must be exactly one record startingv=spf1. - Add the DMARC record: a TXT record at
_dmarcwithv=DMARC1; p=reject; rua=mailto:..., pointing the reports at a mailbox on a domain you actually use. Footnote for your IT person: reports crossing domains need the external-authorisation record (yourolddomain.com._report._dmarc.your-live-domain.com) on the live domain, or they silently never arrive. - Add the null MX: an MX record with priority
0and value.— the standard way (RFC 7505) to declare the domain receives no mail. - Optionally add the DKIM revocation: a TXT record at
*._domainkeywithv=DKIM1; p=. - Re-scan to confirm. The graded report is dated proof the door is shut — keep it for the insurance renewal.
One caution: this set is for domains that genuinely send and receive nothing. If the old domain still quietly forwards mail to you, it isn’t parked — it needs real records instead: see the new-domain email checklist, how to fix SPF and how to fix DMARC.
How do I find the domains I’ve forgotten I own?
Most owners can’t list their domains from memory — that’s the whole problem. Four places to look: your registrar account (export the full list — there are usually more than you remember); old invoices and card statements for renewal charges from forgotten registrars; the marketing agency and your IT contractor, asked directly — “what domains have you ever registered for us?”; and old campaign records. Then scan every one at defaults.exposed. A domain you let expire is a different conversation — anyone can re-register it, a good reason to keep paying the €15 a year for the ones carrying your old name.
Frequently asked questions
The old domain just redirects to our website — surely that means it’s handled? No. The redirect handles people who visit the domain; it does nothing about email sent as it — the default state for 46.4% of all 261,086,232 domains in the census (as of 2026-06-29). Locking it won’t break the redirect either: these records only concern email.
Does this actually stop the fraud? It stops your exact old domain being used at every mail provider that honours these records — including all the big ones your clients use. It doesn’t stop lookalike domains, a separate problem covered in is someone spoofing your domain?. Locked plus watched is the strongest position a parked domain can be in — while 89.41% of all 261,086,232 graded domains haven’t enforced a policy on even their main domain (as of 2026-06-29).
How much does this cost and how long does it take? Nothing, and about ten minutes per domain — the records are free and there’s no service to subscribe to. Finding your domains usually takes longer than fixing them. And it’s every domain, not just the important ones: the fraud only needs the one you skip.
Hand the list to your IT person
Add every domain you found to the list you send your IT person — with this article, which has the exact records they need. Have them re-run the free scan afterwards and forward you the graded reports: dated, plain-language proof that every name you own is locked. That’s the stack of paper you want beside the cyber-insurance renewal form.
Check your domain → · That invoice-fraud story you heard → · How to fix DMARC → · Aggregate data only. Data stored and processed in the EU.