DNS Records Explained — A, AAAA, CNAME, MX, TXT and More

Learn what DNS records are, how they work, and when to use each type. Covers A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, and CAA records with practical examples.

Andreas · April 16, 2026 · 10 min read

networking developer tutorial

Introduction

Every time you type a domain name in your browser, DNS (Domain Name System) translates it into an IP address. But DNS does much more than simple name-to-IP lookups. It handles email routing, domain verification, security policies, and service discovery through different record types.

If you've ever stared at a DNS management panel wondering what a CNAME is or why your email isn't working after a domain migration, this guide is for you.

How DNS Works (The 30-Second Version)

You type example.com in your browser
Your computer asks a DNS resolver (usually your ISP's or Cloudflare's 1.1.1.1)
The resolver queries the root servers → .com TLD servers → example.com's authoritative name servers
The name server returns the IP address for example.com
Your browser connects to that IP address

This happens in milliseconds, and the results are cached at multiple levels so subsequent requests are even faster. You can check the current DNS records for any domain using a DNS lookup tool.

A Record (Address)

The most fundamental record type. An A record maps a domain name to an IPv4 address.

example.com.    A    93.184.216.34

When someone visits example.com, the DNS resolver returns 93.184.216.34 and the browser connects there. You can have multiple A records for the same domain (round-robin DNS) to distribute traffic across servers:

example.com.    A    93.184.216.34
example.com.    A    93.184.216.35

When to Use

Pointing your domain to a web server
Pointing subdomains to specific servers (api.example.com → 10.0.1.5)

AAAA Record (IPv6 Address)

Same as an A record, but for IPv6 addresses:

example.com.    AAAA    2606:2800:220:1:248:1893:25c8:1946

As the internet transitions to IPv6, you should have both A and AAAA records for your domain. Most DNS providers make this easy. If your host supports IPv6, add the AAAA record alongside your A record.

CNAME Record (Canonical Name)

A CNAME is an alias. It points one domain name to another domain name, not to an IP address.

www.example.com.    CNAME    example.com.
blog.example.com.   CNAME    mysite.netlify.app.

When someone visits www.example.com, DNS first resolves the CNAME to example.com, then resolves example.com to its A record IP address.

Rules and Gotchas

You cannot have a CNAME at the zone apex (example.com itself). The CNAME must be on a subdomain (www.example.com, blog.example.com). This is why some DNS providers offer ALIAS or ANAME records as a workaround.
You cannot have a CNAME alongside other record types for the same name (no CNAME + MX for the same subdomain).
CDNs and PaaS providers (Netlify, Vercel, Heroku) typically ask you to create a CNAME pointing to their servers.

MX Record (Mail Exchange)

MX records tell the internet where to deliver email for your domain:

example.com.    MX    10    mail1.example.com.
example.com.    MX    20    mail2.example.com.

The number (10, 20) is the priority — lower numbers are tried first. If mail1 is down, email falls back to mail2. If you use Google Workspace, your MX records point to Google's mail servers:

example.com.    MX    1     aspmx.l.google.com.
example.com.    MX    5     alt1.aspmx.l.google.com.
example.com.    MX    10    alt2.aspmx.l.google.com.

Common MX Mistakes

Forgetting to add MX records after a domain migration (email stops working)
Pointing MX records to a CNAME (not allowed — MX must point to an A/AAAA record)
Setting all priorities to the same number (defeats the failover purpose)

TXT Record (Text)

A TXT record holds arbitrary text. It's used for domain verification, email authentication, and security policies:

example.com.    TXT    "v=spf1 include:_spf.google.com ~all"
example.com.    TXT    "google-site-verification=abc123..."

Common Uses

SPF (Sender Policy Framework): Specifies which mail servers can send email on behalf of your domain. Without SPF, anyone can spoof your domain in the From address.

DKIM (DomainKeys Identified Mail): Contains a public key used to verify email signatures. The sending server signs outgoing emails with a private key, and receiving servers check the DKIM TXT record.

DMARC: Tells receiving mail servers what to do with email that fails SPF/DKIM checks (reject, quarantine, or allow).

Domain verification: Services like Google Search Console, Microsoft 365, and Let's Encrypt use TXT records to prove you own a domain.

NS Record (Name Server)

NS records declare which name servers are authoritative for a domain:

example.com.    NS    ns1.dnshost.com.
example.com.    NS    ns2.dnshost.com.

You usually set these at your domain registrar when you want a different DNS provider to manage your records. For example, if you register a domain at Namecheap but want Cloudflare to handle DNS, you change the NS records to point to Cloudflare's name servers.

SOA Record (Start of Authority)

Every DNS zone has exactly one SOA record. It contains administrative information:

example.com.    SOA    ns1.dnshost.com. admin.example.com. (
                    2024041601  ; Serial number
                    3600        ; Refresh (1 hour)
                    900         ; Retry (15 min)
                    1209600     ; Expire (2 weeks)
                    86400       ; Minimum TTL (1 day)
                )

You rarely need to edit the SOA record directly — your DNS provider manages it. But the serial number is worth knowing about: it must increment whenever you change any record, signaling to secondary name servers that they need to sync.

SRV Record (Service)

SRV records specify the location of a specific service. They include the hostname, port, priority, and weight:

_sip._tcp.example.com.    SRV    10 60 5060 sip.example.com.

Format: priority weight port target. SRV records are used by VOIP, XMPP, LDAP, and some game servers. Most web developers won't encounter them often, but they're essential for enterprise services.

CAA Record (Certificate Authority Authorization)

CAA records specify which certificate authorities (CAs) are allowed to issue SSL certificates for your domain:

example.com.    CAA    0 issue "letsencrypt.org"
example.com.    CAA    0 issuewild "letsencrypt.org"

This prevents an attacker from getting a valid certificate for your domain from a different CA. If a CA receives a certificate request but finds a CAA record that doesn't include them, they must refuse. You can check CAA records with the SSL checker tool.

TTL (Time To Live)

Every DNS record has a TTL value in seconds that controls how long resolvers cache the result:

example.com.    300    A    93.184.216.34

A TTL of 300 means resolvers cache this record for 5 minutes before checking again. Lower TTL = faster propagation of changes but more DNS queries. Higher TTL = better performance but slower updates.

Before a migration: lower TTL to 300 seconds a few days in advance. Make the change. After everything works, raise TTL back to 3600-86400 seconds.

Debugging DNS Issues

When something isn't working:

Check current records with a DNS lookup — are the records what you expect?
Check propagation — DNS changes can take up to 48 hours to propagate globally (though usually minutes with low TTL)
Check the domain registration with a Whois lookup — are the name servers pointed to the right DNS provider?
Check for typos — a missing dot, a wrong IP, or a misspelled hostname in an MX record will silently break things

Conclusion

DNS is the invisible infrastructure that makes the internet work. Understanding record types saves hours of debugging when email stops working, SSL certificates fail, or a domain migration goes sideways. Use the DNS lookup tool to inspect records and verify your configuration before problems become emergencies.

Related Tools

dns-lookup whois ssl-checker