DNS Records Explained: A, MX, TXT and Beyond

dns domains infrastructure email web development
DNS Records Explained: A, MX, TXT and Beyond

DNS is the phone book of the internet. When you type a domain name, DNS translates it to an IP address your browser can connect to.

But DNS does much more than simple name-to-address mapping. It controls where your email goes, verifies your domain ownership, and enables features like load balancing and failover.

How DNS Works

When you visit example.com:

  1. Your browser asks a DNS resolver for the IP address
  2. The resolver checks its cache; if empty, it queries root servers
  3. Root servers direct to .com TLD servers
  4. TLD servers direct to example.com’s authoritative nameservers
  5. Authoritative servers return the IP address
  6. Your browser connects to that IP

This happens in milliseconds, usually cached at multiple levels.

Essential Record Types

A Record (Address)

Maps a domain to an IPv4 address:

example.com.     A     192.0.2.1
www.example.com. A     192.0.2.1

You can have multiple A records for the same domain (load balancing):

example.com.     A     192.0.2.1
example.com.     A     192.0.2.2

AAAA Record (IPv6 Address)

Maps a domain to an IPv6 address:

example.com.     AAAA  2001:db8::1

With IPv6 adoption growing, adding AAAA records future-proofs your domain.

CNAME Record (Canonical Name)

Points one domain to another:

www.example.com.     CNAME     example.com.
blog.example.com.    CNAME     example.github.io.

When resolving a CNAME, DNS follows the chain until it finds an A record.

Restrictions:

  • Cannot be used at the root domain (example.com)
  • Cannot coexist with other records for the same name

MX Record (Mail Exchange)

Specifies mail servers for your domain:

example.com.     MX    10 mail1.example.com.
example.com.     MX    20 mail2.example.com.

The number is priority—lower is preferred. If mail1 is unavailable, senders try mail2.

TXT Record (Text)

Stores arbitrary text, commonly used for:

  • SPF: Email sender verification
  • DKIM: Email signature verification
  • DMARC: Email authentication policy
  • Domain verification: Proving you own a domain
example.com.     TXT   "v=spf1 include:_spf.google.com ~all"
example.com.     TXT   "google-site-verification=abc123..."

NS Record (Name Server)

Delegates DNS for a domain to specific nameservers:

example.com.     NS    ns1.provider.com.
example.com.     NS    ns2.provider.com.

These are set at your domain registrar.

SOA Record (Start of Authority)

Contains metadata about the DNS zone:

example.com.     SOA   ns1.example.com. admin.example.com. (
                       2024020801 ; Serial
                       7200       ; Refresh
                       3600       ; Retry
                       1209600    ; Expire
                       86400 )    ; Minimum TTL

You rarely edit this directly—your DNS provider manages it.

CAA Record (Certificate Authority Authorization)

Specifies which CAs can issue SSL certificates for your domain:

example.com.     CAA   0 issue "letsencrypt.org"
example.com.     CAA   0 issuewild "letsencrypt.org"

This prevents unauthorized certificate issuance.

Common DNS Configurations

Basic Website

example.com.       A      192.0.2.1
www.example.com.   CNAME  example.com.

Website with Email (Google Workspace)

example.com.       A      192.0.2.1
example.com.       MX     1 aspmx.l.google.com.
example.com.       MX     5 alt1.aspmx.l.google.com.
example.com.       TXT    "v=spf1 include:_spf.google.com ~all"

Subdomain for App/Service

app.example.com.   CNAME  myapp.herokuapp.com.
api.example.com.   A      198.51.100.1

Email Authentication Records

example.com.              TXT    "v=spf1 include:_spf.google.com ~all"
google._domainkey         TXT    "v=DKIM1; k=rsa; p=MIIBIj..."
_dmarc.example.com.       TXT    "v=DMARC1; p=quarantine; rua=mailto:[email protected]"

TTL: Time to Live

Each record has a TTL in seconds—how long it can be cached:

example.com.     300    A    192.0.2.1

Lower TTL (60-300s):

  • Changes propagate faster
  • More DNS queries
  • Good before planned changes

Higher TTL (3600-86400s):

  • Better performance (more caching)
  • Changes take longer to propagate
  • Good for stable records

Strategy: Lower TTL before changes, raise it after.

DNS Propagation

When you change DNS records, the update doesn’t happen instantly. Cached records must expire based on their TTL.

Propagation time depends on:

  • Previous TTL of the record
  • Caching at various levels (ISP, local resolver)
  • Geographic distribution

Maximum theoretical time is the old TTL, but caches vary. Plan 24-48 hours for complete global propagation.

Troubleshooting DNS

Common Issues

Website not loading:

  • Check A record points to correct IP
  • Verify nameservers are set correctly
  • Ensure DNS has propagated

Email not working:

  • Verify MX records exist and point to valid mail servers
  • Check SPF/DKIM/DMARC for deliverability issues
  • Confirm mail server is running

Subdomain not working:

  • Check A or CNAME record exists
  • Verify the target is correct
  • Look for typos in record values

Checking DNS Records

You can query DNS from the command line:

# Query A records
dig example.com A

# Query MX records
dig example.com MX

# Query all records
dig example.com ANY

# Query specific nameserver
dig @8.8.8.8 example.com

Or use our DNS Lookup tool to check all record types at once:

  • View A, AAAA, MX, TXT, NS, CNAME, SOA, and CAA records
  • Identify SPF, DKIM, and DMARC configurations
  • See TTL values
  • No command line needed

Security Considerations

DNSSEC

DNS Security Extensions add cryptographic signatures to DNS records, preventing spoofing. Enable at your registrar if available.

CAA Records

Limit which certificate authorities can issue certs for your domain. Prevents unauthorized HTTPS certificates.

Private Information

TXT records are public. Don’t put sensitive data in them—verification tokens are fine, API keys are not.

DNS Provider Features

Modern DNS providers offer features beyond basic records:

  • Anycast DNS: Faster resolution from global locations
  • Health checks: Automatic failover if servers go down
  • GeoDNS: Different responses based on user location
  • Load balancing: Distribute traffic across servers

Popular DNS providers: Cloudflare, Route 53, Google Cloud DNS, NS1.

Take Action

  1. Use our DNS Lookup to review your current configuration
  2. Verify MX records if using email
  3. Check for SPF, DKIM, and DMARC records (use our Email Deliverability Checker)
  4. Consider adding CAA records for certificate security

For help with DNS configuration or domain setup, reach out.