Is it safe to email DNS records?

Key findings

• Public accessibility: DNS records are by design publicly available and discoverable via various online tools. Sharing them does not expose new, sensitive information.
• Purpose of records: DNS records, such as SPF, DKIM, and DMARC, are crucial for email authentication and deliverability, ensuring emails reach their intended recipients securely.
• No direct risk: Possessing a domain's DNS records does not grant an attacker the ability to use the domain for their own purposes, such as sending emails or hosting websites. That requires access to the domain's DNS hosting account.
• Headers provide info: Much of the relevant DNS information for email can be found by examining the headers of any email sent from that domain.

Key considerations

• Credentials vs. records: Never email DNS hosting credentials (usernames, passwords) or private keys (e.g., DKIM private keys). These are highly sensitive and must be kept secure.
• Data exposure: While DNS records themselves are public, sending them via email (especially unencrypted) could expose them if the email account is compromised. However, this is largely redundant given their public nature.
• SPF record length: Be mindful of SPF record limitations, particularly the 10-lookup limit, which can impact deliverability if not properly managed.
• Security enhancement: Proper configuration of DNS records for email (SPF, DKIM, DMARC) is a fundamental step in enhancing email security and reliability.

Key opinions

• Public information: Many marketers acknowledge that DNS records are publicly accessible, reducing the security risk of emailing them.
• Deliverability focus: The primary concern for marketers is often the correct setup of DNS records for optimal email deliverability, rather than the act of emailing them.
• Separation of concerns: Marketers understand the clear difference between sharing DNS record values and sharing sensitive DNS hosting credentials.
• Trust and diligence: Projects involving DNS changes require due diligence to ensure no unintended security vulnerabilities arise, even if the records themselves are public.

Key considerations

• Risk mitigation: While the records are public, any information transmitted via email could theoretically be intercepted. This reinforces the need for secure email practices in general, especially when sharing any technical details.
• Domain reputation: The proper configuration of DNS records, particularly SPF, DKIM, and DMARC, directly impacts domain reputation and prevents issues like spoofing. This is where the real security value lies.
• Avoiding credentials: It is critical for marketers and anyone handling domain settings to understand that DNS records are not credentials, and the latter should never be emailed.
• Subdomain management: When using subdomains for email sending, marketers need to ensure the correct DNS records are in place for each subdomain to maintain deliverability and authentication.

Key opinions

• Open by design: DNS records are inherently public and must be published to function, making emailing them largely benign.
• No risk of misuse: Simply possessing DNS records, even through an intercepted email, does not grant a malicious actor the ability to spoof a domain or use it illicitly.
• Credentials are key: The only truly sensitive information is the login credentials for the DNS hosting provider, which enable modification of records.
• Private key caution: While most DNS records are public, a DKIM private key is an exception and should never be emailed or shared insecurely.

Key considerations

• Domain control: Domain's DNS host access should be extremely closely guarded, as it is the gateway to controlling a domain's online presence, including email.
• Email chain exploitation: Although records are public, sending them via email might seem to 'make it easier' for a malicious actor if they could exploit the email chain itself, but this is a low-probability risk compared to other methods of obtaining public DNS data.
• MX record importance: Experts underline the crucial role of MX records in ensuring emails are delivered to the correct recipients.
• Reverse DNS: Beyond standard records, experts also advise on the importance of reverse DNS resolution (PTR records) for maintaining strong email deliverability.

Key findings

• Authentication standards: Documentation emphasizes that SPF, DKIM, and DMARC records are standards for email authentication, verifying sender legitimacy and preventing spoofing.
• Mail exchange: MX (Mail Exchange) records are critical for directing incoming emails to the correct mail server for a domain.
• Deliverability: Proper DNS configuration, as outlined in documentation, directly impacts email deliverability, ensuring messages reach the inbox.
• Security enhancement: Implementing these DNS records significantly enhances email security by protecting against spam and phishing.

Key considerations

• Record placement: Documentation specifies where various DNS records should be placed within a domain's DNS settings for optimal functionality.
• Absence of records: Without the necessary DNS records, documentation warns that emails are far less likely to be delivered, or may even be rejected outright.
• Domain vs. subdomains: Documentation often provides specific guidance for configuring DNS records for both root domains and subdomains used for email sending.
• Authentication changes: Recent updates in email authentication standards (e.g., by Google and Yahoo) necessitate the proper setup of SPF, DKIM, and DMARC for any domain sending email.