I am not familiar with DNSSEC. Therefore, I have two questions.

  1. Should DNSSEC be enabled for a domain that is exclusively used for email?

  2. I have read that some websites have encountered issues in the past when DNSSEC is enabled for domains providing website services. How can I know if there will be issue with a domain? Must I use the trial and error approach?

Thank you,

— John

That’s not service related. Whether you configure DNSSEC is up to you and does not depend on how you use the domain.

That sometimes happens when you transfer a domain or change DNS provider. The DNSSEC configuration at your registrar always needs to match the one of your DNS provider, but apart from that it usually is straightforward.

Enabling DNSSEC is a nice goodie, I wouldn’t expect it to dramatically improve your domain’s security :slight_smile:

1 Like

Also, with a mail-only domain, the question will be if the relevant MTA will actually use a validating resolver. If it doesn’t, DNSSEC is a bit pointless. Of course, DNSSEC could still be useful if you use your domain to connect to your mail server.

That is not to say don’t enable DNSSEC. Please do so if you feel comfortable. I am just saying not to assume DNSSEC will solve all security issues. Again a nice goodie that you can certainly enable, but proper transport security of your application protocol (and that’s not exactly a strength of Cloudflare) will probably be more important.

1 Like

Thank you for the feedback.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.