DNS Records Explained: A, MX, TXT and Beyond
DNS is the phone book of the internet. When you type a domain name, DNS translates it to an IP address your browser can connect to.
But DNS does much more than simple name-to-address mapping. It controls where your email goes, verifies your domain ownership, and enables features like load balancing and failover.
How DNS Works
When you visit example.com:
- Your browser asks a DNS resolver for the IP address
- The resolver checks its cache; if empty, it queries root servers
- Root servers direct to
.comTLD servers - TLD servers direct to
example.com’s authoritative nameservers - Authoritative servers return the IP address
- Your browser connects to that IP
This happens in milliseconds, usually cached at multiple levels.
Essential Record Types
A Record (Address)
Maps a domain to an IPv4 address:
example.com. A 192.0.2.1
www.example.com. A 192.0.2.1You can have multiple A records for the same domain (load balancing):
example.com. A 192.0.2.1
example.com. A 192.0.2.2AAAA Record (IPv6 Address)
Maps a domain to an IPv6 address:
example.com. AAAA 2001:db8::1With IPv6 adoption growing, adding AAAA records future-proofs your domain.
CNAME Record (Canonical Name)
Points one domain to another:
www.example.com. CNAME example.com.
blog.example.com. CNAME example.github.io.When resolving a CNAME, DNS follows the chain until it finds an A record.
Restrictions:
- Cannot be used at the root domain (
example.com) - Cannot coexist with other records for the same name
MX Record (Mail Exchange)
Specifies mail servers for your domain:
example.com. MX 10 mail1.example.com.
example.com. MX 20 mail2.example.com.The number is priority—lower is preferred. If mail1 is unavailable, senders try mail2.
TXT Record (Text)
Stores arbitrary text, commonly used for:
- SPF: Email sender verification
- DKIM: Email signature verification
- DMARC: Email authentication policy
- Domain verification: Proving you own a domain
example.com. TXT "v=spf1 include:_spf.google.com ~all"
example.com. TXT "google-site-verification=abc123..."NS Record (Name Server)
Delegates DNS for a domain to specific nameservers:
example.com. NS ns1.provider.com.
example.com. NS ns2.provider.com.These are set at your domain registrar.
SOA Record (Start of Authority)
Contains metadata about the DNS zone:
example.com. SOA ns1.example.com. admin.example.com. (
2024020801 ; Serial
7200 ; Refresh
3600 ; Retry
1209600 ; Expire
86400 ) ; Minimum TTLYou rarely edit this directly—your DNS provider manages it.
CAA Record (Certificate Authority Authorization)
Specifies which CAs can issue SSL certificates for your domain:
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild "letsencrypt.org"This prevents unauthorized certificate issuance.
Common DNS Configurations
Basic Website
example.com. A 192.0.2.1
www.example.com. CNAME example.com.Website with Email (Google Workspace)
example.com. A 192.0.2.1
example.com. MX 1 aspmx.l.google.com.
example.com. MX 5 alt1.aspmx.l.google.com.
example.com. TXT "v=spf1 include:_spf.google.com ~all"Subdomain for App/Service
app.example.com. CNAME myapp.herokuapp.com.
api.example.com. A 198.51.100.1Email Authentication Records
example.com. TXT "v=spf1 include:_spf.google.com ~all"
google._domainkey TXT "v=DKIM1; k=rsa; p=MIIBIj..."
_dmarc.example.com. TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]"TTL: Time to Live
Each record has a TTL in seconds—how long it can be cached:
example.com. 300 A 192.0.2.1Lower TTL (60-300s):
- Changes propagate faster
- More DNS queries
- Good before planned changes
Higher TTL (3600-86400s):
- Better performance (more caching)
- Changes take longer to propagate
- Good for stable records
Strategy: Lower TTL before changes, raise it after.
DNS Propagation
When you change DNS records, the update doesn’t happen instantly. Cached records must expire based on their TTL.
Propagation time depends on:
- Previous TTL of the record
- Caching at various levels (ISP, local resolver)
- Geographic distribution
Maximum theoretical time is the old TTL, but caches vary. Plan 24-48 hours for complete global propagation.
Troubleshooting DNS
Common Issues
Website not loading:
- Check A record points to correct IP
- Verify nameservers are set correctly
- Ensure DNS has propagated
Email not working:
- Verify MX records exist and point to valid mail servers
- Check SPF/DKIM/DMARC for deliverability issues
- Confirm mail server is running
Subdomain not working:
- Check A or CNAME record exists
- Verify the target is correct
- Look for typos in record values
Checking DNS Records
You can query DNS from the command line:
# Query A records
dig example.com A
# Query MX records
dig example.com MX
# Query all records
dig example.com ANY
# Query specific nameserver
dig @8.8.8.8 example.comOr use our DNS Lookup tool to check all record types at once:
- View A, AAAA, MX, TXT, NS, CNAME, SOA, and CAA records
- Identify SPF, DKIM, and DMARC configurations
- See TTL values
- No command line needed
Security Considerations
DNSSEC
DNS Security Extensions add cryptographic signatures to DNS records, preventing spoofing. Enable at your registrar if available.
CAA Records
Limit which certificate authorities can issue certs for your domain. Prevents unauthorized HTTPS certificates.
Private Information
TXT records are public. Don’t put sensitive data in them—verification tokens are fine, API keys are not.
DNS Provider Features
Modern DNS providers offer features beyond basic records:
- Anycast DNS: Faster resolution from global locations
- Health checks: Automatic failover if servers go down
- GeoDNS: Different responses based on user location
- Load balancing: Distribute traffic across servers
Popular DNS providers: Cloudflare, Route 53, Google Cloud DNS, NS1.
Take Action
- Use our DNS Lookup to review your current configuration
- Verify MX records if using email
- Check for SPF, DKIM, and DMARC records (use our Email Deliverability Checker)
- Consider adding CAA records for certificate security
For help with DNS configuration or domain setup, reach out.