I’ve been using Google Apps, aka Google Workspace aka Google Suite (or just G Suite) for a while now and it’s annoyed me that I was getting “marked down” on e-mail security testers such as Internet.nl and the UK Government’s National Cyber Security Centre (NCSC) Check Your Email Security Service because Gmail for Business (G Suite) didn’t support DNSSEC (Domain Name System Security Extensions) signed MX hosts.
However, I’ve managed to find Google’s DNS Sec settings which – combined with other setups on my main domains – mean I get 4 green ticks from the NCSC, 97% from Internet.nl (I’m let down by Google’s support of old TLS and Ciphers settings and no DANE TLSA records) and all green (apart from DANE) on Hardenize : so nice strong secure email!
Read more: DNSSec signed Google Apps/G Suite EmailGoogle normally suggest you use the following MX (Mail Exchanger) records in your DNS settings if you use G Suite:
| Priority | Mail Server (MX Entry) |
|---|---|
| 1 | ASPMX.L.GOOGLE.COM |
| 5 | ALT1.ASPMX.L.GOOGLE.COM |
| 5 | ALT2.ASPMX.L.GOOGLE.COM |
| 10 | ALT3.ASPMX.L.GOOGLE.COM |
| 10 | ALT4.ASPMX.L.GOOGLE.COM |
(The records can actually be in any order and the priority can be anything – but Google do recommend that aspmx.l.google.com is set as the “highest priority” which is actually 1)
However, after a bit of searching (using DuckDuckGo and not Google 😉 ), led me to a blog post by Nis Bornoe and Kura the following G Suite DNSSEC signed MX records:
| Google’s DNSSEC Signed Mail Servers (MX Entry) |
|---|
| mx1.smtp.goog |
| mx2.smtp.goog |
| mx3.smtp.goog |
| mx4.smtp.goog |
These domains are hosted on Google owned Charleston Road Registry (CRR)’s .goog top level domain (not to be confused with their .google and .gle brand top-level domains: or the 98 other ones they applied for) and .goog domains can “only be registered to Google Inc and its affiliates” so you’ve got some confidence they are legitimate.
However, whilst myself and Nis and Kura do not seem to have had any problems using these IPv4 and IPv6 supported DNSSEC signed nameservers (and according to DNSlytics and WhoisXMLAPI there are over 930 domains currently using them), they are not officially supported or documented (from what we can find) and have been running since at least 2019 – so they should be reasonably safe to use.
The only “catch” may may be that, for some reason, they do NOT have a reverse DNS (Pointer aka PTR) record setup – which is actually only a problem if those mail servers are use for sending OUT email (not just receiving it) – however, many only testers do assume that your inbound and outbound mail servers are the same. I can confirm, via a test email, that outbound mail goes out via servers such as mail-wr1-f52.google.com which are correctly configured.
5 Comments
Hey, just found this article. I am a Google Apps for Business user and I have DNSSEC configured for my domain… but not my Google Apps email. Did you configure these servers for your Google email DNSSEC? In my example, look at Hardenize johndball-dot-com and I don’t have DNSSEC for my email, but for my domain.
Hi John,
Yes – I did configure these servers for my Google Apps provided email – and yours, according to https://www.hardenize.com/report/johndball.com/1700667786#domain_dnssec – do look good. However, https://internet.nl/mail/johndball.com/1077231/#control-panel-6 shows that the Google mail servers you are using (alt1.aspmx.l.google.com) are not DNSSec signed – only the mx[1-4].smtp.goog. ones are signed. Otherwise it looks good.
I have had to actually temporarily remove DNSSec from my domains as, due to Google ditching Google Domains, I’ve moved my domains over to WordPress.com who don’t currently support it 🙁
Thanks for following up and for the background on your move. I’ll go experiment with my email domains this weekend. Cheers!
Yes, you’re right however this email server {mx*.smtp.goog} allowed by advertised MTA-STS policy.
It means, this host supports MTA-STS, which means that it restricts which MX servers can be used and how they are configured. A host currently in the configuration is not allowed by the advertised MTA-STS policy.
Finally, if you want to use secure mail service MTA-STS policy is important but not with your mentioned records.
Great advice! Thanks for sharing.
What priority you applied to this?
mx1.smtp.goog
mx2.smtp.goog
mx3.smtp.goog
mx4.smtp.goog