Is it possible for a name server provider to hijack MX records?

Yes, your registrar can hijack not only your MX records, but your entire DNS.

Not only that - but they can then proceed to intercept mail sent to your domain, get a valid CA-signed SSL certificate for your domain, and host a site for your domain using the trusted SSL certificate. And DNSSEC won't prevent any of this.

One of the primary functions of your registrar is to register the nameservers for your domain. For example, if you do a whois lookup for stackexchange.com, you'll see that the registrar for stackexchange.com is eNom, LLC., and that the nameservers for stackexchange.com are hosted by Google Cloud and Amazon AWS. So, the DNS for stackexchange.com is handled by Google Cloud and Amazon AWS.

In the example that you gave in your question, cheap-unsecure-domains is the registrar for yourdomain.example. With cheap-unsecure-domains, you specified Cloudflare's nameservers as nameservers for yourdomain.example. So, DNS for yourdomain.example is handled by Cloudflare's nameservers. Then, in Cloudflare's control panel, you setup your DNS records for yourdomain.example, including your A records, MX records, etc.

So if cheap-unsecure-domains wanted to intercept your mail - they wouldn't need to hack into your account at Cloudflare to change your DNS records. They would simply change the nameservers for yourdomain.example to their own, then create MX records for yourdomain.example in their nameservers to point to their own mail servers. Then, they would start receiving mail sent to your domain.

Interestingly, they could start receiving mail for yourdomain.example securely using SMTP STARTTLS, without even getting an SSL certificate for yourdomain.example. They could just use their own certificate. See https://blog.filippo.io/the-sad-state-of-smtp-encryption/.

Now, things get more insidious. They can start receiving mail for [email protected] (or [email protected], or any of the other designated approved email addresses used for SSL domain validation). Then, they can request a SSL certificate for yourdomain.example from a trusted CA, and when the CA sends the verification link to [email protected], they'll receive it, and the CA will issue the certificate. Now, they can setup an A record for www.yourdomain.example, and run a site with a valid certificate for www.yourdomain.example.

At this point, you might be wondering - can't this type of attack be prevented using DNSSEC? The answer is no. DNSSEC records are stored in the DNS for the domain. When the registrar changes the nameservers for yourdomain.example to their own, the DNSSEC records that you created for yourdomain.example are gone, along with all of the other DNS records that you created. See https://moxie.org/blog/ssl-and-the-future-of-authenticity/ for more info.


In theory it should be possible for cheap-unsecure-domains to hijack our MX records answering them by itself instead of referring to Cloudflare. Is this correct?

Yes it would be possible for them to do this. Although they can't without you noticing. So you can monitor this.

If yes is there any type of protection against this kind of attacks? Except using something like GPG.

Use a reputable domain registrar, not necessarily a cheap one. Monitor your DNS.


"In theory it should be possible for cheap-unsecure-domains to hijack our MX records. Is this correct?"

This is correct for a domain registrar company that is not reputable and it's security to be considered lackluster! Good companies offer security services and suites for their customers, but this often comes at a cost, hence there are users who frequent other alternatives like these 'cheap-unsecure-domains companies'.

The most common practices to thwart such attacks (hijacking/social engineering/identity theft) would be,

  • The standard good ol' cyber hygiene (strong passwords, two-factor authentication (2FA) on your 'domain control panel' and your domain owner email account)
  • Avoid unreputable domain hosts providers (a good percentage of hijacking comes from exploiting a vulnerability in the domain name registrar's system)
  • Keep your domain details and contact information up-to-date, and set notifications if changes are made (more of a recovery practice).

You've mentioned using Cloudflare as your control panel. They do offer a suite of security services at your disposal. Their DNSSEC might be suited for you.