G Suite DNSSEC signed MX records

G Suite (formally known as Google Apps) is a collection of Google services including Gmail with custom domains, all available through a single user account. G Suiteā€™s default MX records (aspmx.l.google.com, and alt<1-4>.aspmx.l.google.com) are not DNSSEC signed. For users wanting DNSSEC signed G Suite MX records, Google has made such available.

G Suite DNSSEC signed MX records:


The DNSSEC signed MX records answers to both IPv4 and IPv6 requests.

DNSSEC is a security extension to the DNS protocol making it possible to sign DNS data with a digital signature using the public key cryptography approach. DNSSEC makes it possible to 1) Verify that DNS data actually is received from the expected origin zone. 2) Know that no modification of DNS data occurred during transit. More detailed information about DNSSEC is available at the Wikipedia page.

You can use a tool such as Verisign’s DNSSEC Analyzer to check the DNSSEC settings of a given hostname.

Here a generic example of what the DNS entries should look like for example.com. The exact procedure for adding or modifying DNS records differs between DNS providers.

HostRecordTime to live (TTL)PriorityMX

As a side note, despite that these MX records are made available by Google, they are not officially supported or documented. They could change, go offline, or somehow get unreliable at some point. I doubt this will happen anytime soon. In the past, Google has kept crucial legacy hostnames online, and some major web services are using these MX records.

Posted in DNS

Leave a Reply

Your email address will not be published. Required fields are marked *