DNS - Lockdown domains that do not send emails

I’ve setup a few domains recently that won’t be used to send emails (well, certainly not presently). It’s good security practice for the domain to specifically state that fact in the DNS records and each time I have to do it, I find myself digging around for the boilerplate I use to do it. As an aide-memoir, this short post summarises everything in the following table - For reference, this Cloudflare article explains the full details perfectly.

1
2
3
4
5

Type | Name         | Content                                        | Comment
---- | ------------ | ---------------------------------------------- | -------------------
TXT  |            @ | v=spf1 -all                                    | SPF for No-Email!
TXT  | *._domainkey | v=DKIM1; p=                                    | DKIM for No-Email!
TXT  |       _dmarc | v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s | DMARC for No-Email!

Yes, note that Cloudflare (now) allow comments for DNS records. If you have multiple (security) staff administering your DNS records, or just have more than a few records and are likely to forget why/what/who/when a record was added, comments/notes (somewhere) are essential. I don’t know why they were never part of the DNS spec, but they weren’t. It’s been a personal amazement that I’ve had to diligently keep a separate document to record why and when my DNS records were added (yes, I’m like that), but that’s no longer required. Thank you Cloudflare 😎🥂🎉