G Suite DNSSEC signed MX records

G Suite (formally known as Google Apps) is a collection of Google services including Gmail with custom domains, all available through a single user account. G Suiteā€™s default MX records (aspmx.l.google.com, and alt1-4.aspmx.l.google.com) are not DNSSEC signed. For users wanting DNSSEC signed G Suite MX records, Google has made such available.

DNSSEC is a security extension to the DNS protocol making it possible to sign DNS data with a digital signature using the public key cryptography approach. DNSSEC makes it possible to 1) Verify that DNS data actually is received from the expected origin zone. 2) Know that no modification of DNS data occurred during transit. More detailed information about DNSSEC is available at the Wikipedia page.

G Suite DNSSEC signed MX records:


As a side note, despite that these MX records are made available by Google, they are not officially supported or documented. They could change, go offline, or somehow get unreliable at some point. I doubt this will happen anytime soon. In the past, Google has kept crucial legacy hostnames online, and some major web services are using these MX records.

Leave a Reply

Your email address will not be published. Required fields are marked *