Someone out on the internet bought a domain name very similar to our company domain (with one character missing) and was using it in an attempt to elicit payments from other companies. I bought a bunch of domain names similar to our main company domain after this, thinking it would be sufficient to prevent other cases of this happening. I didn't realize this until I was investigating settings for DMARC. Even though you might own a domain, if you don't have the correct settings scammers could still use your domain to send spoof emails since it is not that difficult to spoof the "from" domain in the email header. The settings below should be added to inactive/parked domains that don't need to send or receive email. Assuming the recipient mail server is configured properly, mail from these inactive domains should be Quarantined or dropped.
SPF:
These settings specify that no IP or domain is allowed to send email from example.com. The wildcard * can be used to specify all sub domains. Annoyingly, these do have to be two separate records.
example.com TXT "v=spf1 -all"
*.example.com TXT "v=spf1 -all"
DKIM:
Setting this shows that the public key for the TLD and all subdomains has been revoked, so mail should be Quarantined. This is only one record
*._domainkey.example.com TXT "v=DKIM1; p="
DMARC:
You should lastly specify a DMARC record to reject mail based on SPF and DKIM alignment, which will always fail since the SPF and DKIM record don't specify anything. sp=reject also specifies that no subdomain is allowed to send mail. They suggest, for ease of management, setting one single DMARC setting on your main domain in a text record and calling it something like below
_dmarc.parked.maindomain.com TXT v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s
You can then go to each of your parked/inactive domains, and specify a CNAME record that references the record within your main domain. See below example, this is set on one of the inactive domains.
_dmarc CNAME _dmarc.parked.maindomain.com
nslookup q=TXT _dmarc.parkeddomain.com resolves to _dmarc.parked.maindomain.com which resolves to the DMARC record you set, something like v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s
MX:
I get the impression this is somewhat optional, but they recommend setting an invalid MX record. If you send email to a domain with no MX record, it will then try the A record. It might take a long time to see a bounce, and its better that the mail go to an invalid domain name. The TLD ".invalid" is a reserved domain that will never resolve.
example.com MX 0 noemail.invalid
*.example.com MX 0 noemail.invalid