# Email DNS — stripe.com

**Mail provider:** Google Workspace

## MX

- `10` aspmx.l.google.com
- `20` alt1.aspmx.l.google.com
- `20` alt2.aspmx.l.google.com
- `30` aspmx2.googlemail.com
- `30` aspmx3.googlemail.com

## SPF

```
v=spf1 ip4:198.2.180.60/32 ip4:13.111.2.227/32 include:spf1.stripe.com include:greenhouse-outbound-mail.stripe.com include:_spf.qualtrics.com ~all
```

DNS lookups: 7 / 10

## DKIM

Selectors checked: 18
Selectors found: `google`, `s1`, `s2`, `mandrill`

## DMARC

```
v=DMARC1; p=reject; pct=100; fo=1; rua=mailto:dmarc-reports@stripe.com; ruf=mailto:dmarc-forensics@stripe.com;
```

- policy: `p=reject`
- pct: 100
- rua: 1 address

---

MX, SPF, DMARC are all set. Mail appears to be handled by Google Workspace. DKIM keys found at selectors `google`, `s1`, `s2`, `mandrill`.

stripe.com has 5 MX records, pointing at aspmx.l.google.com, alt1.aspmx.l.google.com, alt2.aspmx.l.google.com, aspmx2.googlemail.com, aspmx3.googlemail.com. That hostname pattern matches Google Workspace.

stripe.com publishes an SPF record ending in ~all, which is a soft-fail policy — mail from senders outside the listed mechanisms is allowed through but marked as suspicious. It consumes 7 of the 10 DNS lookups allowed by RFC 7208 §4.6.4 (SPF treats include:, redirect=, a, mx, ptr, and exists: as lookups that count against the limit).

DKIM keys were found at 4 selectors: `google`, `s1`, `s2`, `mandrill`. Multiple selectors usually indicates key rotation or multiple sending sources (e.g. one for transactional mail, one for marketing). Mail from this domain is signed cryptographically.

stripe.com publishes a DMARC record with policy `p=reject` — mail that fails DMARC alignment should be rejected outright by receivers. Aggregate reports are being sent to 1 address (rua), which is how the domain owner sees who's authenticating against this domain.

— canaryfleet.com — free email DNS checker
For ongoing monitoring of MX, SPF, DKIM, DMARC, SSL, uptime and more, see canaryfleet.com