Your Parked Domain Is Sending Email (And You Didn't Know)
You registered it three years ago to protect the brand. The hyphenated version, the .net, the common typo. You parked them, pointed them at nothing, and never thought about them again.
Someone else has.
A parked domain feels safe because there's nothing there. No website to deface, no inbox to break into. So nobody monitors it, which is what makes it a good target: a domain carrying your brand name that nobody is watching.
"No MX, no website" is not "no risk"
The common assumption is that a domain with no mail server can't be used for email. That is wrong, and it is an expensive thing to be wrong about.
MX records control where a domain receives mail. Spoofing is about sending. An attacker doesn't need your MX, your DNS, or any access to the domain at all. They send from a server they control, set the from: header to billing@your-parked-domain.com, and let the receiving mail server decide whether to believe it.
What decides that is your DMARC policy. If the parked domain has no DMARC record, there is no policy to apply, so receiving servers accept the spoofed mail and tell no one. The domain has no website and no inbox, but it can still land email in your customers' inboxes wearing your brand.
So a forgotten parked domain usually sits in the worst state: fully spoofable, and silent about it.
Why attackers like the domains you forgot
Your primary domain probably has DMARC at p=reject and someone keeping an eye on it. The defensive registrations around it almost never do. That asymmetry is the whole point.
A brand-adjacent domain is more convincing in a phishing email than a random one. support@yourcompany-billing.com reads as legitimate to a customer who knows your brand. And because the domain sends no real mail, there is no baseline, no alerting, and no one who would notice a spike. The attacker gets your brand's credibility with none of your brand's scrutiny.
This is also where shadow IT hides. A parked domain that suddenly starts sending could be an attacker, or it could be a forgotten marketing tool, a contractor, or an old form provider someone wired up years ago. Either way, you want to know.
What "protected" actually means for a parked domain
A parked domain has a different job than an active one. You are not trying to get its mail delivered. You are trying to make sure it sends nothing and to see anyone who tries. That means two things, not one.
Lock it down. Publish a DMARC record at full enforcement so receiving servers reject anything claiming to be from it, and an SPF record that authorizes no senders:
Type: TXT
Name: _dmarc
Value: v=DMARC1; p=reject; rua=mailto:your-reporting-address
Type: TXT
Name: @
Value: v=spf1 -all
p=reject tells receivers to drop unauthenticated mail. v=spf1 -all says no IP is allowed to send. You do not need DKIM keys, because the domain has no legitimate sender to sign for. This is the entire setup. It takes one visit to your DNS provider.
Watch it. Enforcement blocks the spoof, but the rua= address is what tells you it happened. When someone sends mail as your parked domain, the receiving servers still record the attempt and report it: the source IP, the volume, and the fact that it failed authentication. On a domain that should produce zero mail, any report is a signal. A parked domain that suddenly shows traffic is either being spoofed or being used by something you forgot about.
Without the reporting address, you get the protection but stay blind. With it, the parked domain becomes a tripwire.
The catch: parked domains are the ones nobody reads
DMARC reports are gzipped XML, and they arrive whether or not anyone opens them. For an active domain you at least have a reason to look. For a parked one, there's no inbox, no dashboard you check, and no habit of looking. The reports pile up unread, which means the spoofing they document goes unseen.
<record>
<row>
<source_ip>185.220.101.47</source_ip>
<count>211</count>
<policy_evaluated>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
</record>
An IP you don't own, sending hundreds of messages as a domain that should send none, failing every check. That is the proof, sitting in a report nobody opened.
If you want the mechanics of reading these for any domain, Is Your Domain Being Spoofed? walks through it, and What Happens When You Have No DMARC Record covers the wide-open case.
Do it in a couple of minutes
Start by checking what your parked domains actually have today. Run each through the DMARC checker or the email authentication checker. Most defensive registrations come back with no DMARC at all, which means wide open.
Then lock down and watch each one:
- Publish the two records above at your DNS provider.
- Point
rua=at a reporting address that something actually reads. - Get alerted if a domain that should be silent starts sending.
That last step is the part that's hard to do by hand, because it means parsing reports for domains you will otherwise never look at. DMARCdrift was built for the indie builder who owns a handful of these. Add a domain, mark it as parked, and we hand you the exact lockdown records to publish and watch the reports for you. The moment a parked domain shows sending activity, you hear about it instead of finding out from a customer.
The domains you registered to protect your brand only help if they cannot be used against it. Lock them down, point the reports at something that actually reads them, and you will hear about the spoofing instead of hearing about it from a customer.