DNS Record Types Explained: A, AAAA, CNAME, MX, TXT & More

Why DNS Record Types Confuse Developers

You have a new domain. You need to point it at your server, set up email, verify it with Google, and enable HTTPS. Every one of those tasks requires a different DNS record type - and each has its own syntax, TTL considerations, and gotchas. Misconfiguring even one can silently break email delivery, expose your domain to spoofing, or cause a 24-hour outage while propagation catches up.

The problem is that most DNS documentation reads like an RFC specification. This guide takes a different approach: it explains each record type by what it actually does, when you need it, and what it looks like in the wild.

Quick Reference: All Major DNS Record Types

A Record: The Foundation of DNS

The A record (Address record) is the most fundamental DNS record. It maps a hostname to an IPv4 address. When you type example.com into your browser, the very first DNS resolution that happens is a lookup for an A record.

; Zone file syntax
example.com.     300  IN  A  93.184.216.34
www.example.com. 300  IN  A  93.184.216.34

The number 300 is the TTL (Time To Live) in seconds - how long resolvers cache this record. Lower TTL values give you faster failover but increase DNS query load. A common production setup uses 300–3600 seconds for stable records and drops to 60 seconds before a planned migration.

Multiple A records for the same hostname enable simple round-robin load balancing. Most DNS providers and CDNs (Cloudflare, AWS Route 53) handle this automatically with health checks and weighted routing.

AAAA Record: IPv6

The AAAA record (quad-A) does exactly what the A record does, but for IPv6 addresses. As IPv6 adoption grows, adding AAAA records alongside A records is considered best practice. Clients will prefer IPv6 when both records are present (Happy Eyeballs algorithm).

example.com.  300  IN  AAAA  2606:2800:220:1:248:1893:25c8:1946

If you are on a hosting provider that assigns an IPv6 address to your server, add a AAAA record. If not, omit it - a missing AAAA record is not an error; clients will fall back to A automatically.

CNAME Record: Aliases

A CNAME record (Canonical Name) is an alias. It points one hostname at another hostname, not an IP address. The resolving client follows the chain until it reaches an A or AAAA record.

; www is an alias for the apex domain
www.example.com.   300  IN  CNAME  example.com.

; CDN subdomain alias
assets.example.com. 300 IN  CNAME  d1234.cloudfront.net.

Critical rules for CNAME records:

• You cannot use a CNAME at the zone apex (example.com itself) - only on subdomains. This is a DNS spec limitation. Some providers offer a proprietary "CNAME flattening" or "ALIAS" record to work around this.
• A CNAME record cannot coexist with any other record for the same hostname. You cannot have both a CNAME and an MX record for mail.example.com.
• CNAME chains add latency. Keep them to one or two hops maximum.

Use CNAMEs for CDN endpoints, load balancer hostnames, and SaaS platform verification subdomains. Never use a CNAME at your zone apex.

MX Record: Email Routing

The MX record (Mail Exchanger) tells sending mail servers where to deliver email for your domain. Every MX record has a priority value - lower numbers are tried first. Multiple MX records provide redundancy.

; Google Workspace MX records
example.com.  300  IN  MX  1   aspmx.l.google.com.
example.com.  300  IN  MX  5   alt1.aspmx.l.google.com.
example.com.  300  IN  MX  5   alt2.aspmx.l.google.com.
example.com.  300  IN  MX  10  alt3.aspmx.l.google.com.
example.com.  300  IN  MX  10  alt4.aspmx.l.google.com.

The MX record value must be a hostname, not an IP address. That hostname must itself have an A or AAAA record. Pointing MX directly at a CNAME is technically valid but strongly discouraged by RFC 2181 and rejected by some mail servers.

If you forget to set MX records, email to your domain will bounce immediately with a "no MX record" error. This is one of the most common DNS mistakes when setting up a new domain.

TXT Record: Verification, SPF, DKIM, DMARC

The TXT record stores arbitrary text strings. It has become the Swiss Army knife of DNS - used for domain ownership verification, email authentication, and service configuration.

SPF (Sender Policy Framework)

SPF tells receiving mail servers which IP addresses and services are authorized to send email from your domain. Without it, anyone can forge your From address.

example.com.  300  IN  TXT  "v=spf1 include:_spf.google.com include:sendgrid.net ~all"

The ~all is a soft fail (mark as spam but deliver). Use -all for a hard fail (reject) once you are confident all legitimate senders are listed.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails. The public key lives in a TXT record under a special subdomain.

google._domainkey.example.com.  300  IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."

DMARC

DMARC tells receiving servers what to do when SPF or DKIM fails (none / quarantine / reject) and where to send aggregate reports.

_dmarc.example.com.  300  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"

Domain Verification

Google Search Console, AWS ACM, GitHub, and dozens of SaaS tools ask you to add a TXT record to prove you own the domain:

example.com.  300  IN  TXT  "google-site-verification=abc123xyz"

NS Record: Nameservers

The NS record (Nameserver) specifies which DNS servers are authoritative for a domain or subdomain zone. These are set at your domain registrar - they tell the internet's root servers where to delegate queries for your domain.

example.com.  86400  IN  NS  ns1.cloudflare.com.
example.com.  86400  IN  NS  ns2.cloudflare.com.

NS records typically have very high TTLs (86400 = 24 hours) because changing nameservers is infrequent and the whole internet needs to pick up the change. When you migrate a domain to a new DNS provider, expect up to 48 hours for full propagation.

SOA Record: Zone Authority

The SOA record (Start of Authority) is automatically created by your DNS provider and defines metadata for the zone: which nameserver is primary, an admin email address, a serial number for zone versioning, and refresh/retry/expire timers for secondary nameservers.

example.com.  3600  IN  SOA  ns1.example.com. hostmaster.example.com. (
    2026032601  ; Serial (YYYYMMDDnn format)
    3600        ; Refresh
    900         ; Retry
    604800      ; Expire
    300         ; Minimum TTL
)

You rarely edit the SOA directly - most DNS control panels manage it automatically. The serial number must increment on every zone change so secondary servers know to fetch an update.

SRV Record: Service Discovery

The SRV record advertises the location of a specific service - its hostname, port, priority, and weight. It is used by protocols like SIP (VoIP), XMPP (chat), and Kubernetes service discovery.

; Format: _service._proto.name  TTL  IN  SRV  priority weight port target
_sip._tcp.example.com.  300  IN  SRV  10 20 5060 sip.example.com.
_xmpp-client._tcp.example.com. 300 IN SRV 5 0 5222 xmpp.example.com.

CAA Record: Certificate Authority Authorization

The CAA record is a security-focused record that specifies which Certificate Authorities are permitted to issue SSL/TLS certificates for your domain. Without a CAA record, any CA can issue a cert for your domain. With one, only the listed CAs can.

example.com.  300  IN  CAA  0 issue "letsencrypt.org"
example.com.  300  IN  CAA  0 issuewild "letsencrypt.org"
example.com.  300  IN  CAA  0 iodef "mailto:security@example.com"

Adding a CAA record is a low-effort, high value security improvement. If you use Let's Encrypt, you only need "letsencrypt.org". If you also use DigiCert for EV certs, add both. The iodef tag sets an email address for violation reports.

PTR Record: Reverse DNS

A PTR record is the reverse of an A record - it maps an IP address back to a hostname. PTR records live in special reverse-lookup zones (in-addr.arpa for IPv4) and are typically managed by your hosting provider or ISP, not your domain registrar.

; Reverse lookup for 93.184.216.34
34.216.184.93.in-addr.arpa.  3600  IN  PTR  example.com.

PTR records matter most for mail servers. Many receiving mail servers perform a reverse DNS check: they look up the PTR record for the sending IP and verify it matches the hostname in the SMTP HELO/EHLO greeting. Missing or mismatched PTR records cause email to land in spam or get rejected outright.

Step-by-Step: How to Look Up DNS Records

You can query DNS records from the command line or from a web tool. Here are both methods:

Using dig (Linux / macOS)

# Query A record
dig example.com A

# Query MX records
dig example.com MX

# Query all records
dig example.com ANY

# Query a specific nameserver
dig @8.8.8.8 example.com TXT

# Short output (just the answer)
dig example.com A +short

Using nslookup (Windows / cross-platform)

nslookup -type=MX example.com
nslookup -type=TXT example.com 8.8.8.8

Using our free DNS Lookup tool

No terminal needed. Our DNS Lookup tool queries all record types for any domain in your browser, with clean formatted output and TTL display.

Common DNS Mistakes and How to Avoid Them

• Forgetting the trailing dot in zone files: example.com is relative to the zone origin; example.com. (with trailing dot) is absolute. Most web UIs handle this for you, but zone file imports do not.
• Using a CNAME at the apex: You cannot CNAME example.com itself. Use an ALIAS / ANAME record (Cloudflare, Route 53) or point directly to an IP with an A record.
• Setting TTL too high before a migration: If your A record has a 24-hour TTL and you need to change your IP, lower the TTL to 60 seconds at least 24 hours before the change.
• Missing SPF/DKIM: Every domain that sends email needs both. Without them, your messages will land in spam even if your content is legitimate.
• Pointing MX at a CNAME: The MX record value must resolve directly to an A/AAAA record. Using a CNAME as the MX target violates RFC 2181 and breaks some mail servers.
• Confusing propagation with caching: DNS propagation is not a monolithic event - different resolvers pick up changes at different times based on cached TTLs. There is no global "DNS propagation complete" event.

Frequently Asked Questions

What is the difference between an A record and a CNAME record?

An A record maps a hostname directly to an IP address. A CNAME maps a hostname to another hostname, which is then resolved to an IP. Use A records when you know the IP. Use CNAME when pointing to a service whose IP may change (CDNs, load balancers, SaaS platforms).

Can I have multiple A records for the same domain?

Yes. Multiple A records for the same hostname is called round-robin DNS. Queries return all records and clients typically try them in order or randomly. It is a primitive form of load balancing without health checks - if one IP goes down, some clients will still route to it until TTL expires.

How long does DNS propagation take?

Propagation time equals the TTL of the old record. If your A record had a 3600-second (1-hour) TTL, resolvers that cached it will serve the old value for up to 1 hour after you make the change. Lower your TTL before planned migrations to speed up propagation.

What TXT records do I need for email to not land in spam?

You need all three: SPF (authorizes your sending IPs), DKIM (signs outgoing messages), and DMARC (tells receivers what to do with failures). Without all three, major providers like Gmail and Microsoft 365 will either spam-filter or reject your messages.

What is the difference between NS records at the registrar and in my zone?

Your domain registrar holds NS records in the global root/TLD zone - these tell the world which nameservers are authoritative for your domain. Your own zone file also has NS records as an internal reference. Both must match or resolution breaks.

Do I need a CAA record?

It is not mandatory but strongly recommended. CAA records prevent unauthorized Certificate Authorities from issuing SSL certificates for your domain, which is a real attack vector. Setup takes 30 seconds and is free.

Use our free tool to look up and verify any domain's DNS configuration instantly: DNS Lookup Tool →