What you need to know about the Domain Name System and the record types it contains
The internet uses DNS (Domain Name System) to direct users from a domain address to the IP address of servers the domain uses. DNS is often viewed as a type of phone book for the internet: When a domain changes services, the phone book is updated. DNS contains multiple record types related to the services being used, including email delivery (MX), in which providers are authorized to send mail from a domain (SPF), and digital signatures that prove a message was not tampered with during delivery (DKIM). Additionally, nameserver records (NS) is the server or service that hosts all DNS records for a domain. These various DNS records are publicly available by design and can often cause email delivery issues.
MX, or Mail Exchange records, tell email senders where the messages should be delivered. It is best practice to have one MX service published on DNS. Publishing multiple competing MX service providers for one domain can cause issues. For example, if one email exchange is busy processing messages, messages can be directed to another email exchange record, which could be for a separate email provider entirely. This can also result in conflicting and competing rules and email follows that direct the message along its path until it reaches the recipient’s inbox.
An example of MX records for Google properly configured:
SPF (Sender-Policy Framework) records dictate the email service providers permitted to send messages using a domain’s address. This TXT record type is a basic security measure to prevent spoofing – when a malicious actor sends messages that appear to come from a known contact or domain. When a message is received, an email provider checks the message header for confirmation the message was received from a service that is permitted to send on-behalf, using the domain name as a “from” address in the domain. It is best practice to have 10 or fewer DNS lookups (including sub lookups) on an SPF record. Techniques exist to allow more than 10 email service providers to send on behalf of a domain (but that is out of scope for this article).
An example of SPF records for Google Workspace properly configured:
DKIM records, or DomainKeys Identified Mail, is a type of digital signature applied to the email headers that allow a sender to claim responsibility for a message in a way that is validated by the recipients. All messages sent from an email service have the DKIM signature attached as proof the message was not tampered with during the delivery process. DKIM records should be configured for each service mentioned in the SPF record.
An example of DKIM records for Google Workspace:
A fourth record type is DMARC, or Domain-based Message Authentication Reporting and Conformance. This type of DNS record tells receiving email servers how to handle messages sent from a domain when the messages fail SPF and/or DKIM checks. DMARC is out of scope for this article, but it is important to consider when implementing the best email security practices.
An example of DMARC records for Google Workspace:
NS (nameserver) records is the service that hosts all DNS records for a domain. It is common to have multiple NS records from a provider published for redundancy. Nameservers get changed when moving a domain between DNS hosting providers, and this type of change can take several hours to complete as the changes propagate the internet. The new DNS provider needs to be configured with the previously mentioned records. Failure to do so can result in previously configured DNS records being removed from public DNS lookups, and leading to email delivery issues.
An example of DNS Nameserver records:
For further information on DNS records, check out the articles below:
- CloudFlare:What is a DNS MX Record
- CloudFlare: What is a DNS SPF Record
- CloudFlare: What is DKIM
- CloudFlare: What is a DMARC Record
- CloudFlare: What is a DNS NS record