G Suite DNSSEC signed MX records

G Suite (formally known as Google Apps) is a collection of Google services including Gmail with custom domains, all available through a single user account. G Suiteā€™s default MX records (aspmx.l.google.com, and alt<1-4>.aspmx.l.google.com) are not DNSSEC signed. For users wanting DNSSEC signed G Suite MX records, Google has made such available.

DNSSEC is a security extension to the DNS protocol making it possible to sign DNS data with a digital signature using the public key cryptography approach. DNSSEC makes it possible to 1) Verify that DNS data actually is received from the expected origin zone. 2) Know that no modification of DNS data occurred during transit. More detailed information about DNSSEC is available at the Wikipedia page.

You can use a tool such as Verisign’s DNSSEC Analyzer to check the DNSSEC settings of a given hostname.

G Suite DNSSEC signed MX records:

mx1.smtp.goog
mx2.smtp.goog
mx3.smtp.goog
mx4.smtp.goog

The DNSSEC signed MX records answers to both IPv4 and IPv6 requests.

As a side note, despite that these MX records are made available by Google, they are not officially supported or documented. They could change, go offline, or somehow get unreliable at some point. I doubt this will happen anytime soon. In the past, Google has kept crucial legacy hostnames online, and some major web services are using these MX records.

Leave a Reply

Your email address will not be published. Required fields are marked *