Network
DNS Record Type Reference Guide
A reference covering the DNS record types you need for running mail and websites — A, MX, TXT, SPF, DKIM, DMARC and more — with purpose, syntax examples, and gotchas for each.
| Type | Purpose | Example | Note |
|---|---|---|---|
| A record | The most basic record type, mapping a domain name to an IPv4 address. It points to where a web server or mail server actually lives. | example.com. 3600 IN A 192.0.2.1 |
A TTL that is too short (3600 seconds = 1 hour in this example) increases load from repeated lookups against the authoritative server; too long delays propagation when the IP address changes. |
| AAAA record | Maps a domain name to an IPv6 address — essentially the IPv6 counterpart of the A record. | example.com. 3600 IN AAAA 2001:db8::1 |
Keeping an A record alongside it lets networks without IPv6 support fall back to IPv4 connectivity (dual-stack operation). |
| CNAME record | Treats one hostname as an alias for another canonical hostname — for example, pointing www.example.com to example.com. | www.example.com. 3600 IN CNAME example.com. |
A hostname with a CNAME cannot have other records (such as MX or TXT) coexist on it (a constraint from RFC 1034). A CNAME also cannot be set at the zone root (@). |
| MX record | Specifies which mail server should receive mail addressed to a domain. Multiple servers can be listed with a preference value. | example.com. 3600 IN MX 10 mail.example.com. |
A lower preference value means higher priority. Listing multiple servers at different priorities for redundancy is common. An MX target must point to a hostname with an A record, not a CNAME. |
| TXT record | A general-purpose record that attaches arbitrary text to a domain. Used for SPF, DKIM, and DMARC, as well as domain ownership verification and more. | example.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all" |
A domain can have multiple TXT records, but placing more than one record for the same purpose (such as SPF) causes interpretation errors — consolidate them into a single record. |
| SPF record (a type of TXT record) | Lists the servers (IP addresses) authorized to send mail on behalf of a domain, providing sender authentication that helps prevent spoofed mail. Configured as a TXT record. | example.com. 3600 IN TXT "v=spf1 ip4:203.0.113.0/24 include:_spf.google.com ~all" |
Only one SPF record is valid per domain. Watch out for chains of "include" mechanisms, since exceeding the 10-DNS-lookup limit causes a permanent error. The dedicated record type (RRTYPE 99) was deprecated in 2014, so SPF is expressed purely through TXT records today. |
| DKIM record (a type of TXT record) | Attaches a digital signature to outgoing mail so receivers can verify the message was not tampered with in transit and came from a legitimate sender. The public key is published as a TXT record. | selector._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..." |
The selector (the leading part of the hostname) varies by sending service. The private key stays on the sending server — only the public key is published in DNS. |
| DMARC record (a type of TXT record) | Declares, based on SPF and DKIM results, how a receiver should treat mail that fails authentication (deliver it, quarantine it, or reject it) and provides a channel for receiving aggregate reports. | _dmarc.example.com. 3600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]" |
Starting with p=none for monitoring only, then tightening step by step to quarantine and reject once you have confirmed there are no issues, is the safe way to roll it out. |
| NS record | Identifies which servers are the authoritative DNS servers for a domain (zone) — the starting point for resolving names anywhere under it. | example.com. 86400 IN NS ns1.example-dns.com. |
If the nameservers registered with the registrar do not match the NS records inside the zone, name resolution becomes unstable (a condition known as lame delegation). |
| SOA record | Holds administrative information for a zone — the primary server, administrator email, serial number, retry intervals, and more. Every zone must have exactly one. | example.com. 86400 IN SOA ns1.example-dns.com. admin.example.com. (2026071200 3600 900 604800 86400) |
Whenever you update a zone file you must increment the serial number, otherwise secondary servers will never pick up the change (zone transfer relies on it). |
| CAA record | Restricts which certificate authorities (CAs) are permitted to issue certificates for a domain, preventing unintended CAs from issuing fraudulent certificates. | example.com. 3600 IN CAA 0 issue "letsencrypt.org" |
If a domain has no CAA record at all, any CA is considered permitted to issue for it. Wildcard certificates require a separate issuewild tag. |
| PTR record | Resolves an IP address back to a hostname — the reverse of an A record. Configured in a reverse zone (in-addr.arpa / ip6.arpa). | 1.2.0.192.in-addr.arpa. 3600 IN PTR mail.example.com. |
Many mail servers flag or reject mail from senders with no reverse PTR record or one that does not match the A record, so this is effectively a required setting for outbound mail servers. |
Tips
- If you are unsure about SPF, DKIM, or DMARC, diagnose your current records first with the "SPF/DKIM/DMARC Record Checker" tool, then compare them against the syntax examples on this page.
- A TTL of about one hour (3600 seconds) is a safe default for ordinary records; shortening it to around 300 seconds just before a DNS migration makes the cutover propagate faster, then you can raise it again afterward.
- TXT record values over 255 characters may get split into multiple strings automatically, so check that quotation marks line up correctly after copy-pasting.
- If you also want to check the format of an email address itself, the "Email Address Format Validator" tool covers that gap.
- When rolling out a new mail sending service, start DMARC at p=none, watch the reports for a week or two to confirm there are no issues, then switch to an enforcing policy — it is the safer path.
Frequently Asked Questions
Side Note — the history behind DNS records and email authentication
DNS is best known for mapping domain names to IP addresses, but in reality many more record types exist beyond A and AAAA, each with a distinct role. In the world of email delivery in particular, several records — MX, TXT (carrying SPF/DKIM/DMARC), and PTR — only add up to "legitimate, non-spoofed mail" when they all work together; missing even one raises the risk of landing in a spam folder or being rejected outright.
Looking back at the history of sender authentication, SPF was proposed in the early 2000s as a countermeasure against spam, and DKIM, aimed at detecting tampering with message content, was standardized around 2007. But neither one, on its own, defined what a receiver should actually do when authentication failed — DMARC arrived in 2012 to fill that gap. DMARC evaluates SPF and DKIM results together and provides both an enforcement policy for failures and a reporting mechanism, functioning as a kind of command center for authentication.
Some DNS records have changed shape over time for historical reasons. A dedicated record type for SPF (RRTYPE 99) was defined once in a 2006 RFC, but caused implementation confusion and was formally deprecated by RFC 7208 in 2014 — today SPF is expressed purely through TXT records. DKIM and DMARC likewise have no dedicated record type of their own; both are implemented entirely inside TXT records using a specific syntax (strings beginning with v=DKIM1 or v=DMARC1), which says a lot about how extensible DNS really is.