What is DNSSEC?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've set up SPF, DKIM, and DMARC. You feel pretty good about your email authentication. Then someone mentions DNSSEC and you wonder: is this another thing you need to worry about?

Here's the short answer. DNSSEC stands for DNS Security Extensions. It's a layer of protection added to the Domain Name System that lets resolvers verify DNS records haven't been tampered with in transit. Think of it as a chain of digital signatures, from the DNS root all the way down to your specific domain records.

Without DNSSEC, an attacker who manages to poison a DNS cache could redirect DNS lookups to forged responses. With DNSSEC, each record is signed with a private key, and the corresponding public key is published in DNS. A resolver checks the signature before trusting the record. If anything has been altered, the check fails.

What DNSSEC does not do is worth knowing. It doesn't encrypt your DNS queries (anyone watching the network can still see what you're looking up). It doesn't replace SPF, DKIM, or DMARC. Those authenticate your emails. DNSSEC authenticates your DNS records themselves. They're solving different problems at different layers.

So why does it matter for email specifically? Your DKIM public key lives in DNS. So does your SPF record. If an attacker can forge those DNS records mid-lookup, they could theoretically point a verifying mail server at a fraudulent key. DNSSEC prevents that specific attack vector by making DNS record tampering detectable.

For most small senders, DNSSEC is a security best practice rather than a deliverability requirement today. Mailbox providers like Gmail and Outlook don't currently use DNSSEC validation as a ranking signal in their spam filters. But it's becoming more common in high-security environments, and some enterprise receiving systems do check for it.

The main practical consideration is whether your DNS provider supports it. Not all of them do, and enabling it incorrectly can break DNS resolution for your entire domain (which would be much worse than not having it at all). If you're considering it, make sure your registrar and DNS host both support DNSSEC fully before you flip the switch.

Not sure if your domain's DNS setup is solid? You can check the basics with our free SPF Checker, or if you want a second pair of eyes on the whole picture, our SOS hotline is free to use.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my DNSSEC readiness

Based on my domain and DNS setup, help me understand whether enabling DNSSEC is worth the complexity for my situation. Consider: my DNS provider, whether I already have SPF, DKIM, and DMARC configured, my sending volume, and whether I'm seeing any authentication failures. Give me a ranked list of what to prioritize.

Edit the yellow boxes, then send to the AI of your choice.