Tip: if you're using Gmail for mail on your own domain, change your MX records to mx[1-4].smtp.goog to get DNSSEC+DANE protection on your email.
Conversation
You have to use Google's new vanity TLD .goog for this because their internal DNS infrastructure on the google\.com domain is so backwards they can't add DNSSEC on it.
1
4
Replying to
I think the main reason is that they've done tests and identified that something like 1% of connections to their domains will break if they deploy DNSSEC. They don't see it as having enough value to go through it with. Ironically, the main reason for that is probably pinning...
1
It is really needed for email though. I think making the case that they should be doing pinning for email as they do for other services is the strongest argument. They're already providing a way to do DNSSEC, so they should finish it up with the same pinning as elsewhere.