I have a domain for email with DNNSEC activated. If I check DNSVIZ seems that all registries all protected, incluiding MX.
1.If i create a subdomain using CF email routing, will these new MX registries will included in DNSSEC? I don’t see it in DNSVIZ results.
2. If MX registries are not pointing to CF the logic is the same?
DNSSEC would include everything that is within the current zone.
So if you’re having “example.com” set up on Cloudflare, all records you’re publishing through that zone (e.g. under example.com), on Cloudflare, will be protected with DNSSEC, which includes the MX records of example.com, as well as any other DNS record type.
Cloudflare Email Routing is currently providing you with MX records, that reside under “mx.cloudflare.net”, and since these are also DNSSEC signed, you will gain the full DNSSEC protection all the way.
When you’re pointing MX records towards other domains names, then these other domain names would similarly need to be DNSSEC protected, in order to gain the full protection that DNSSEC can provide.
If you’re pointing towards e.g. Google Workspace, when using the typical MX records under “.l.google.com”, e.g.:
It can then be verified using DNSSEC that your domain is pointing towards Google, but when you receive the IP address “192.0.2.123” and/or “2001:0db8:beef:beef:beef:beef:beef:beef” for the DNS query to “aspmx.l.google.com”, then those IP addresses CANNOT be verified, because Google is NOT DNSSEC signing their domain name.
So in examples like with Google, you will (unfortunately) NOT have the full benefits that DNSSEC can eventually give, when certain organisations decide not to DNSSEC sign their domain names.
My idea is create manually MX records to create this email subdomain , something like emails.example.com . So , i Will be able to email [email protected]
Hi
Thanks for your help .
Is not clear to my what is the scope of a ‘zone’ . Maybe is considered the same zone and DNSSEC also applies to emails.example.com?