Press "Enter" to skip to content

DNSSec signed Google Apps/G Suite Email

I’ve been using Google Apps, aka Google Workspace aka Google Suite (or just G Suite) for a while now and it’s annoyed me that I was getting “marked down” on e-mail security testers such as Internet.nl and the UK Government’s National Cyber Security Centre (NCSC) Check Your Email Security Service because Gmail for Business (G Suite) didn’t support DNSSEC (Domain Name System Security Extensions) signed MX hosts.

However, I’ve managed to find Google’s DNS Sec settings which – combined with other setups on my main domains – mean I get 4 green ticks from the NCSC, 97% from Internet.nl (I’m let down by Google’s support of old TLS and Ciphers settings and no DANE TLSA records) and all green (apart from DANE) on Hardenize : so nice strong secure email!

Read more: DNSSec signed Google Apps/G Suite Email

Google normally suggest you use the following MX (Mail Exchanger) records in your DNS settings if you use G Suite:

PriorityMail Server (MX Entry)
1ASPMX.L.GOOGLE.COM
5ALT1.ASPMX.L.GOOGLE.COM
5ALT2.ASPMX.L.GOOGLE.COM
10ALT3.ASPMX.L.GOOGLE.COM
10ALT4.ASPMX.L.GOOGLE.COM
The normal suggest Google Suite Email Servers for Businesses

(The records can actually be in any order and the priority can be anything – but Google do recommend that aspmx.l.google.com is set as the “highest priority” which is actually 1)

However, after a bit of searching (using DuckDuckGo and not Google 😉 ), led me to a blog post by Nis Bornoe and Kura the following G Suite DNSSEC signed MX records:

Google’s DNSSEC Signed Mail Servers (MX Entry)
mx1.smtp.goog
mx2.smtp.goog
mx3.smtp.goog
mx4.smtp.goog
Google’s “hidden” DNS SEC Signed MX Records

These domains are hosted on Google owned Charleston Road Registry (CRR)’s .goog top level domain (not to be confused with their .google and .gle brand top-level domains: or the 98 other ones they applied for) and .goog domains can “only be registered to Google Inc and its affiliates” so you’ve got some confidence they are legitimate.

However, whilst myself and Nis and Kura do not seem to have had any problems using these IPv4 and IPv6 supported DNSSEC signed nameservers (and according to DNSlytics and WhoisXMLAPI there are over 930 domains currently using them), they are not officially supported or documented (from what we can find) and have been running since at least 2019 – so they should be reasonably safe to use.

The only “catch” may may be that, for some reason, they do NOT have a reverse DNS (Pointer aka PTR) record setup – which is actually only a problem if those mail servers are use for sending OUT email (not just receiving it) – however, many only testers do assume that your inbound and outbound mail servers are the same. I can confirm, via a test email, that outbound mail goes out via servers such as mail-wr1-f52.google.com which are correctly configured.

5 Comments

  1. Hey, just found this article. I am a Google Apps for Business user and I have DNSSEC configured for my domain… but not my Google Apps email. Did you configure these servers for your Google email DNSSEC? In my example, look at Hardenize johndball-dot-com and I don’t have DNSSEC for my email, but for my domain.

  2. Hi John,

    Yes – I did configure these servers for my Google Apps provided email – and yours, according to https://www.hardenize.com/report/johndball.com/1700667786#domain_dnssec – do look good. However, https://internet.nl/mail/johndball.com/1077231/#control-panel-6 shows that the Google mail servers you are using (alt1.aspmx.l.google.com) are not DNSSec signed – only the mx[1-4].smtp.goog. ones are signed. Otherwise it looks good.

    I have had to actually temporarily remove DNSSec from my domains as, due to Google ditching Google Domains, I’ve moved my domains over to WordPress.com who don’t currently support it 🙁

    • Thanks for following up and for the background on your move. I’ll go experiment with my email domains this weekend. Cheers!

  3. Y. K. Y. K.

    Yes, you’re right however this email server {mx*.smtp.goog} allowed by advertised MTA-STS policy.

    It means, this host supports MTA-STS, which means that it restricts which MX servers can be used and how they are configured. A host currently in the configuration is not allowed by the advertised MTA-STS policy.

    Finally, if you want to use secure mail service MTA-STS policy is important but not with your mentioned records.

  4. Great advice! Thanks for sharing.

    What priority you applied to this?
    mx1.smtp.goog
    mx2.smtp.goog
    mx3.smtp.goog
    mx4.smtp.goog

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.