What is DNSSEC?
DNSSEC (DNS Security Extensions) is a set of standards that add cryptographic signatures to DNS records. Ordinary DNS was designed without authentication: when your mail server or a recipient's server looks up a domain, it has no way to prove the answer actually came from the real owner and wasn't forged along the way. DNSSEC closes that gap by letting a domain owner sign their records and letting resolvers verify those signatures against a global chain of trust.
For email security, DNSSEC matters because almost everything depends on DNS being truthful — your SPF record, your DKIM public keys, your DMARC policy, and your MX hosts are all published in DNS. DNSSEC is also a hard prerequisite for DANE, which pins your mail server's TLS certificate in DNS.
The Problem DNSSEC Solves
Without DNSSEC, DNS answers can be spoofed or poisoned. In a cache-poisoning or on-path attack, an attacker feeds a resolver forged records — pointing your domain's MX at their server, swapping your SPF or DKIM records, or stripping a security policy — and the resolver has no way to tell the fake answer from the real one. Mail can then be silently redirected or its authentication quietly undermined.
DNSSEC makes this detectable. Because every signed record carries a signature that chains up to the DNS root, a validating resolver rejects answers whose signatures don't verify, rather than serving a forgery as if it were genuine.
How DNSSEC Works
DNSSEC builds a chain of trust from the DNS root down to your domain:
- Your DNS provider signs each record set in your zone, publishing the signatures (RRSIG records) and public keys (DNSKEY records) alongside them.
- You publish a DS record (Delegation Signer) at your registrar. It lives in the parent zone (for example, .com) and links your signed zone into the chain of trust one level up.
- Each parent vouches for its child all the way up to the root, whose key is trusted by resolvers worldwide.
- A DNSSEC-validating resolver checks these signatures on every lookup. When the chain verifies, it marks the answer "authenticated" (the AD, or Authenticated Data, flag); if a signature is missing or broken, it returns a failure instead of a forged answer.
Importantly, DNSSEC provides integrity and authenticity, not confidentiality. It proves a DNS answer is genuine and unmodified; it does not encrypt your DNS queries or your email.
Enabling DNSSEC
Turning on DNSSEC is usually two steps: enable signing at your DNS provider, then copy the resulting DS record to your domain registrar so the parent zone references it. Both halves are required — a signed zone with no DS record at the registrar is not part of the chain of trust and won't validate. Once the DS record propagates, validating resolvers worldwide begin authenticating your domain.
DNSSEC and DDMARC
DDMARC actively checks your domain's DNSSEC posture. It queries through DNSSEC-validating resolvers to determine whether your zone is signed and its chain of trust validates (secure), is simply unsigned, or is misconfigured so signatures fail (bogus), and surfaces that result in your DNS health view alongside SPF, DKIM, DMARC, MTA-STS, and TLS-RPT. Because DNSSEC is the foundation DANE is built on, DDMARC treats the two together. Check your domain's email security posture to see where you stand.
Frequently Asked Questions
Is DNSSEC required for email?
It isn't strictly required to send or receive email, but it is strongly recommended and is a hard prerequisite for DANE. DNSSEC protects the integrity of the DNS records email security depends on — your MX, SPF, DKIM, DMARC, and TLSA records — so they can't be silently forged.
Does DNSSEC encrypt my DNS queries or email?
No. DNSSEC authenticates DNS data — it proves an answer is genuine and hasn't been tampered with — but it does not encrypt anything. Encrypting DNS queries is the job of DNS over HTTPS or TLS, and encrypting email in transit is handled by TLS (see MTA-STS and DANE). DNSSEC is about integrity, not confidentiality.
What is a DS record?
A DS (Delegation Signer) record is published at your domain registrar, in the parent zone. It links your signed zone into the global DNSSEC chain of trust, so validating resolvers can verify your signatures. A signed zone without a matching DS record at the registrar will not validate.
Does DDMARC check DNSSEC?
Yes. DDMARC validates your domain's DNSSEC status through DNSSEC-validating resolvers and shows whether your zone is signed and validating, unsigned, or misconfigured, as part of your DNS health view.