Glossary

DNSSEC — DNS Security Extensions Explained

DNSSEC (DNS Security Extensions) is a suite of protocols that add cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses are authentic and have not been tampered with. DNSSEC protects against DNS cache poisoning and man-in-the-middle attacks on DNS queries. It requires coordination between your DNS hosting provider and your domain registrar.

How DNSSEC Works

Your DNS zone is signed with a private key. The corresponding public key is published in DNS and linked to your registrar via DS records. Resolvers use the chain of trust to verify every DNS response.

DNSSEC vs Email Authentication

DNSSEC protects DNS queries themselves — not email content. SPF, DKIM, and DMARC authenticate email. Both are independent but complementary.

Start with email auth on DNS Preflight

Open DNS Preflight →

FAQ

What is DNSSEC?

A DNS extension that adds cryptographic signatures to verify DNS responses are authentic and unmodified.

Do I need DNSSEC for email security?

DNSSEC is separate from email authentication. SPF, DKIM, and DMARC protect email. DNSSEC protects DNS queries. Both are good practice but independent.

How do I enable DNSSEC?

Enable it in your DNS provider's dashboard, then publish the DS record at your domain registrar. Both steps are required.

← All glossary terms