What are SPF, DKIM, and DMARC and do I need all three?

SPF (Sender Policy Framework) specifies which mail servers are authorized to send email for your domain. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to outgoing emails that receiving servers verify. DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving servers what to do when SPF or DKIM fail, and where to send reports. You need all three for reliable email delivery. Without SPF and DKIM, most modern email providers will route your messages to spam.

What is the difference between MX record priority 10 and 20?

Lower MX priority numbers have higher priority. A mail server will try priority 10 first; if it fails, it falls back to priority 20. This lets you define primary and backup mail servers. If you only have one mail provider, all your MX records can have the same priority (e.g. both 10) — mail servers distribute load randomly between equal-priority records.

What is a CAA record and do I need one?

A CAA (Certification Authority Authorization) record specifies which Certificate Authorities are allowed to issue SSL certificates for your domain. If a CAA record exists and the CA is not listed, they must refuse to issue a certificate. This prevents unauthorized certificate issuance (a real attack vector). If you use Let's Encrypt, add: example.com. CAA 0 issue "letsencrypt.org". Not having a CAA record means any CA can issue for your domain.

What is DNSSEC and should I enable it?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses are authentic and unmodified. It prevents DNS cache poisoning attacks where an attacker injects fake DNS records. Enable DNSSEC if your domain registrar and hosting provider both support it, and if you handle sensitive transactions. The main complexity is key rotation — if done incorrectly, it can take your entire domain offline.

DNS Record Types Explained: A Complete Developer Guide

DNS (Domain Name System) is one of those technologies that works invisibly until it breaks — and when it does, everything from your website to your email goes down. Understanding each record type, how they interact, and how to configure them correctly is essential knowledge for any developer who owns or manages a domain.

Use our DNS Lookup tool to query live DNS records for any domain as you read.

1. How DNS Resolution Actually Works

When you type example.com into a browser, a chain of queries happens in under 100ms:

Browser cache — checked first. If the IP was recent, done.
OS resolver cache — your machine's local DNS cache.
Recursive resolver — typically your ISP's or a public one (Cloudflare 1.1.1.1, Google 8.8.8.8). It does the heavy lifting from here.
Root nameservers — 13 sets of servers (a.root-servers.net through m.root-servers.net). They don't know your IP, they know which TLD servers handle .com.
TLD nameservers — Verisign's servers handle .com. They don't know your IP, they know which nameservers are authoritative for example.com.
Authoritative nameserver — your DNS provider (Cloudflare, Route 53, your registrar). It has the actual records and returns the answer.

The recursive resolver caches the answer for the duration of the TTL, then the whole chain repeats. This is why changing DNS records isn't instant — every resolver in the world that has your old record cached must wait for their cached copy to expire.

2. A and AAAA Records — IPv4 and IPv6

A Record — IPv4

Maps a hostname directly to an IPv4 address. This is the most fundamental DNS record.

example.com.     300   IN   A   203.0.113.42
www.example.com. 300   IN   A   203.0.113.42

You can have multiple A records for the same hostname, pointing to different IPs. DNS resolvers return all of them, and most clients use round-robin load balancing across them. This is the simplest form of DNS-based load balancing.

AAAA Record — IPv6

The same concept but for IPv6 addresses. An AAAA record should exist alongside an A record for dual-stack support. Modern clients prefer IPv6 when available (Happy Eyeballs algorithm).

example.com.  300  IN  AAAA  2001:db8::1

Root domain rule: You cannot put a CNAME at the root domain (example.com) — only at subdomains. At the root, you must use an A or AAAA record, or an ALIAS/ANAME record if your DNS provider supports it (Cloudflare calls this a "proxied CNAME flattening").

3. CNAME Records — Aliases

A CNAME (Canonical Name) points a hostname to another hostname. The second hostname is then resolved through its own DNS records. This chain of resolution is the key difference from an A record.

www.example.com.  300  IN  CNAME  example.com.
blog.example.com. 300  IN  CNAME  mysite.netlify.app.
api.example.com.  300  IN  CNAME  myapp.us-east-1.elb.amazonaws.com.

When to use CNAME vs A

Use CNAME when pointing a subdomain to a cloud provider's hostname (load balancers, CDNs, PaaS) — their IP changes and you can't hard-code it
Use A record for root domain, for servers with stable IPs, or when resolution speed matters (CNAME adds one extra lookup)
Never use CNAME for the root domain (@ / naked domain) — it breaks MX, TXT, and other records at that level per RFC 1034

CNAME Chains

A CNAME can point to another CNAME, but this is bad practice. Each hop adds a DNS query round-trip. Limit chains to one level. Most DNS providers cap chain depth at 8–10 hops before returning SERVFAIL.

4. MX Records — Email Routing

MX (Mail Exchanger) records specify which mail servers receive email for your domain. Each MX record has a priority (preference) value — lower numbers have higher priority.

example.com.  3600  IN  MX  10  mail1.example.com.
example.com.  3600  IN  MX  20  mail2.example.com.   ; fallback
example.com.  3600  IN  MX  10  aspmx.l.google.com.  ; Google Workspace

When another mail server sends email to [email protected], it queries your MX records, sorts by priority, and connects to the lowest-priority server first. Equal-priority records get random selection (load distribution).

MX must point to a hostname, not an IP. RFC 5321 requires MX records to point to A/AAAA records, not IP addresses directly. MX 10 203.0.113.1 is invalid.

5. TXT Records — Email Authentication and Verification

TXT records store arbitrary text. Their primary modern use is email authentication — three standards work together to prove your emails are legitimate:

SPF — Sender Policy Framework

An SPF record lists all IP addresses and services authorized to send email for your domain. Receiving mail servers check it to decide whether to accept or reject incoming mail.

; Allow Google Workspace + Sendgrid + your own server
example.com.  TXT  "v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.42 -all"

; -all = reject mail from unlisted sources (hard fail)
; ~all = mark as soft fail (recommended while testing)
; ?all = neutral (never use in production)

DKIM — DomainKeys Identified Mail

DKIM adds a cryptographic signature to every outgoing email. The public key is published in DNS; the private key is held by your mail server. Receiving servers verify the signature to confirm the email was not modified in transit and genuinely originated from your domain.

; Key selector: "google" (set by your email provider)
google._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."

DMARC — Policy and Reporting

DMARC ties SPF and DKIM together. It defines what receiving servers should do when a message fails SPF and DKIM checks, and where to send aggregate reports about authentication results.

_dmarc.example.com.  TXT  "v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]"

; p=none      → monitor only (good for initial rollout)
; p=quarantine → send failing mail to spam
; p=reject     → block failing mail entirely (strongest protection)

TXT records are also used for domain ownership verification by Google Search Console, SSL certificate issuance (ACME DNS-01 challenge), Microsoft 365 setup, and many other services.

6. NS Records — Nameserver Delegation

NS (Name Server) records specify which DNS servers are authoritative for your domain. They are set at your domain registrar and delegate authority to your DNS provider.

example.com.  86400  IN  NS  ns1.cloudflare.com.
example.com.  86400  IN  NS  ns2.cloudflare.com.

You can delegate a subdomain to a different nameserver entirely — useful for giving a client or team control over their own subdomain:

; Delegate staging.example.com to a separate nameserver
staging.example.com.  86400  IN  NS  ns1.staging-dns-provider.com.

NS records typically have a long TTL (86400 seconds = 24 hours) because nameserver changes are rare and resolvers cache them aggressively. Changing nameservers always requires patience — you must wait for the old NS TTL to expire globally.

7. SOA Record — Zone Authority

SOA (Start of Authority) is automatically managed by your DNS provider. It contains administrative information about the DNS zone: which nameserver is the primary, the zone administrator's email, and timing parameters that secondary nameservers use to sync.

example.com.  3600  IN  SOA  ns1.cloudflare.com. dns.cloudflare.com. (
    2026032601  ; Serial (often YYYYMMDDNN)
    7200        ; Refresh — how often secondaries check for updates
    3600        ; Retry — how often to retry after a failed refresh
    1209600     ; Expire — how long secondaries serve data without contact
    300         ; Negative TTL — how long to cache NXDOMAIN responses
)

You generally don't need to manually edit the SOA record. The most practically relevant field is the Negative TTL — it controls how long "this record does not exist" responses are cached. A short negative TTL (300s) means typos and missing records are corrected quickly. A long one means a mistyped subdomain lookup stays cached as NXDOMAIN for a long time.

8. SRV Records — Service Location

SRV (Service) records advertise which host and port provides a specific service. Commonly used by VoIP (SIP), XMPP/Jabber, Microsoft Lync/Teams, and game servers.

; Format: _service._proto.name  TTL  IN  SRV  priority  weight  port  target
_sip._tcp.example.com.   3600  IN  SRV  10  60  5060  sip.example.com.
_xmpp._tcp.example.com.  3600  IN  SRV  5   0   5222  xmpp.example.com.

Clients that support SRV discovery (like VoIP phones and XMPP clients) query this record instead of needing hard-coded hostnames and ports. Priority and weight work like MX records — lower priority is preferred; equal-priority records are weighted randomly.

9. CAA Records — Certificate Authority Authorization

CAA records restrict which Certificate Authorities (CAs) are permitted to issue SSL certificates for your domain. Without a CAA record, any CA can issue for your domain.

; Only Let's Encrypt and DigiCert may issue
example.com.  CAA  0  issue    "letsencrypt.org"
example.com.  CAA  0  issue    "digicert.com"
example.com.  CAA  0  issuewild "letsencrypt.org"   ; wildcard certs
example.com.  CAA  0  iodef    "mailto:[email protected]"  ; violation reports

The iodef tag sends violation reports when an unauthorized CA receives a certificate request for your domain — giving you visibility into attempted attacks.

Important: CAA records are checked at certificate issuance time, not at connection time. They prevent unauthorized certs being issued, not the use of already-issued ones.

10. TTL Strategy — How Long to Cache Your Records

Record type	Recommended TTL	Reasoning
A / AAAA	300–3600	Shorter = faster failover; longer = fewer queries
CNAME	300–3600	Same as above; matches target record TTL
MX	3600	Mail servers cache this; changes are rare
TXT (SPF/DKIM)	3600	Email auth lookups happen per-message; cache helps
TXT (verification)	300	Can be removed after verification; short TTL = less cleanup
NS	86400	Rarely changes; long cache reduces root/TLD queries
Pre-migration (any)	300	Lower 24–48h before a planned change for faster cutover

Frequently Asked Questions

What is the difference between a CNAME and an A record?

An A record maps a hostname directly to an IPv4 address. A CNAME creates an alias to another hostname. Use A records at the root domain and for stable IPs. Use CNAME for subdomains pointing to cloud service hostnames. Never use CNAME at the root domain.

Why does DNS propagation take up to 48 hours?

Because resolvers worldwide cache your records until their TTL expires. To speed up planned changes, lower the TTL to 300 seconds 24–48 hours before making the change. After propagation completes, raise it back.

What are SPF, DKIM, and DMARC?

Three email authentication standards stored as TXT records. SPF authorizes which servers can send for your domain. DKIM signs outgoing messages cryptographically. DMARC enforces policy when SPF/DKIM fail and collects reports. You need all three for reliable email delivery.

What is the difference between MX priority 10 and 20?

Lower numbers = higher priority. Priority 10 is tried before 20. Equal priority records share load randomly.

What is a CAA record?

Restricts which CAs can issue SSL certificates for your domain. Prevents unauthorized certificate issuance. Add one if you want to lock down who can issue certs for your domain.

What is DNSSEC?

Adds cryptographic signatures to DNS records to prevent cache poisoning. Enable it if your registrar and DNS provider support it. Key rotation must be done carefully — mistakes can take your domain offline.