DNS Record Types Explained
Compare DNS record types with examples. Learn when to use A, AAAA, CNAME, MX, TXT, NS, CAA, SRV, SOA, PTR, HTTPS, SVCB, ALIAS, and more.
Answer snapshot
DNS records are instructions inside a DNS zone. A and AAAA point names to IP addresses, CNAME and ALIAS point names to other names, MX routes mail, TXT publishes verification and email-authentication data, NS and SOA describe authority, and CAA, SRV, PTR, TLSA, SSHFP, HTTPS, and SVCB handle security, service discovery, reverse DNS, and modern connection metadata.
What you'll learn
- Choose the right DNS record type for websites, apps, email, security, and service discovery
- Read practical examples for common records such as A, CNAME, MX, TXT, CAA, and SRV
- Avoid CNAME conflicts, broken email records, TTL mistakes, and DNSSEC-sensitive errors
- Use DNScale tools and guides to check records after making changes
DNS records control where a domain points, how email is routed, which services are available, and what security policies apply. This guide is the central DNScale reference for choosing record types, reading examples, avoiding common mistakes, and checking results with DNS tools.
If you already know the record type you need, jump to the quick reference table. If you are deciding between options, start with A record vs CNAME record, DNS records for email, or DNS record conflicts and mistakes.
Quick Reference
| Record type | What it does | Common use | Example | Detailed guide |
|---|---|---|---|---|
| A | Points a hostname to an IPv4 address | Website and app hosting | www.example.com -> 192.0.2.10 | A record guide |
| AAAA | Points a hostname to an IPv6 address | IPv6 website and app hosting | www.example.com -> 2001:db8::10 | AAAA record guide |
| CNAME | Points one hostname to another hostname | SaaS, CDN, and www aliases | docs.example.com -> example.gitbook.io | CNAME guide |
| MX | Routes mail for a domain | Inbound email delivery | example.com -> 10 mail.example.com. | MX record guide |
| TXT | Stores text values | SPF, DKIM, DMARC, verification | v=spf1 include:_spf.example.com -all | TXT record guide |
| NS | Delegates DNS authority | Parent delegation or subdomain delegation | example.com -> ns1.provider.net. | NS record guide |
| SOA | Defines zone authority metadata | Zone administration and negative caching | primary nameserver plus serial timers | SOA record guide |
| CAA | Controls certificate issuance | TLS certificate policy | 0 issue "letsencrypt.org" | CAA record guide |
| SRV | Defines service host and port | SIP, XMPP, LDAP, game servers | 10 5 5060 sip.example.com. | SRV record guide |
| PTR | Maps IP address back to a hostname | Reverse DNS and mail reputation | 10.2.0.192.in-addr.arpa -> host.example.com. | PTR record guide |
| TLSA | Publishes DANE TLS association | Advanced TLS validation | certificate association data | TLSA record guide |
| SSHFP | Publishes SSH host fingerprints | SSH host verification | algorithm plus fingerprint | SSHFP record guide |
| HTTPS | Publishes HTTPS service parameters | HTTP/3, ECH, web connection hints | 1 . alpn="h3,h2" | HTTPS record guide |
| SVCB | Publishes service binding metadata | Alternative endpoints and service parameters | service priority and parameters | SVCB record guide |
| ALIAS | Apex-friendly hostname alias | Root domain to CDN or cloud target | example.com -> target.example.net. | ALIAS record guide |
DNScale documents customer-managed standard and modern record types in the records API. SOA is also explained here because every authoritative zone has one; the apex SOA and apex NS records are usually provider-managed system records, not routine records you edit by hand.
What Is a DNS Record?
A DNS record is an instruction inside a DNS zone. Each record normally has:
| Field | Meaning |
|---|---|
| Name | The hostname, such as www, _dmarc, or example.com. |
| Type | The record type, such as A, CNAME, MX, or TXT |
| Value | The answer, such as an IP address, hostname, text string, or service parameter |
| TTL | How long recursive resolvers may cache the answer |
| Priority | Extra ordering value used by records such as MX and SRV |
Record conflicts matter because DNS has rules about which records can coexist. A CNAME must usually be the only record at its name. MX targets must resolve. DNSSEC DS and DNSKEY data must match. TTLs control how quickly changes become visible after resolvers cache old answers.
A Records
An A record maps a name to an IPv4 address.
Name: www
Type: A
Value: 192.0.2.10
TTL: 300Use A records when you control the IPv4 address, when you need the apex domain to point to a server, or when other records must coexist at the same name.
Common mistakes:
- Using a private IP address such as
10.0.0.5for a public website. - Forgetting to update both apex and
www. - Setting a high TTL before a migration.
AAAA Records
An AAAA record maps a name to an IPv6 address.
Name: www
Type: AAAA
Value: 2001:db8::10
TTL: 300Use AAAA records for dual-stack services so IPv6-capable clients can connect directly. Pair them with A records when the same service supports IPv4 and IPv6.
Common mistakes:
- Publishing AAAA before the service actually listens on IPv6.
- Forgetting IPv6 firewall rules.
- Testing only from IPv4 networks.
CNAME Records
A CNAME record aliases one hostname to another hostname.
Name: docs
Type: CNAME
Value: example.gitbook.io.
TTL: 3600Use CNAME records for subdomains that should follow a third-party service, CDN, or SaaS target. Do not use a CNAME at a name that also needs MX, TXT, CAA, or other record data.
Common mistakes:
- Putting a CNAME at the apex/root domain.
- Creating long CNAME chains.
- Combining CNAME with TXT verification at the same name.
For a deeper decision framework, read CNAME vs A record.
MX Records
MX records tell senders where to deliver email for a domain. They include a priority and a mail server hostname.
Name: example.com.
Type: MX
Value: 10 mail.example.com.
TTL: 3600Use MX records for domains and subdomains that receive email. Lower priority numbers are preferred.
Common mistakes:
- Pointing MX to a hostname that has no A or AAAA record.
- Missing the provider-required priority.
- Using a CNAME as the MX target when the mail provider expects a direct hostname.
TXT Records
TXT records store text values. They are widely used for email authentication and domain verification.
Name: example.com.
Type: TXT
Value: v=spf1 include:_spf.example.com -all
TTL: 3600Use TXT records for SPF, DKIM, DMARC, Google/Microsoft verification, MTA-STS reporting, and service-specific ownership checks.
Common mistakes:
- Publishing multiple SPF records at the same name.
- Putting DMARC at
example.cominstead of_dmarc.example.com. - Leaving stale verification records after a migration.
NS Records
NS records identify authoritative nameservers. At the parent zone, they delegate the domain to a DNS provider. Inside a zone, they can delegate a subdomain.
Name: dev.example.com.
Type: NS
Value: ns1.dev-provider.net.
TTL: 3600Use NS records carefully. Parent-zone delegation and in-zone NS records need to agree during migrations.
Common mistakes:
- Parent and child NS records disagreeing after a provider migration.
- Delegating a subdomain without creating the child zone.
- Changing NS records without lowering TTLs first.
SOA Records
An SOA record stores zone authority metadata: primary nameserver, responsible mailbox, serial number, refresh, retry, expire, and minimum/negative-cache TTL.
Name: example.com.
Type: SOA
Value: ns1.dnscale.eu. hostmaster.example.com. 2026060901 3600 600 604800 300Every authoritative zone has an SOA record. In managed DNS, the apex SOA is usually generated and maintained by the provider.
Common mistakes:
- Treating the SOA serial as application state.
- Misreading negative-cache TTL as a normal record TTL.
- Trying to hand-edit provider-managed SOA data during a migration.
CAA Records
CAA records restrict which public certificate authorities can issue TLS certificates for a domain.
Name: example.com.
Type: CAA
Value: 0 issue "letsencrypt.org"
TTL: 3600Use CAA records when you want explicit certificate authority policy. Add issuewild when wildcard certificates should have separate rules.
Common mistakes:
- Forgetting the CA used by your CDN or hosting provider.
- Leaving old CA values after moving certificate automation.
- Making the record too restrictive before a certificate renewal.
SRV Records
SRV records publish service location, including priority, weight, port, and target.
Name: _sip._tcp.example.com.
Type: SRV
Value: 10 5 5060 sip.example.com.
TTL: 3600Use SRV records for protocols that explicitly support service discovery, such as SIP, XMPP, LDAP, Kerberos, and some game servers.
Common mistakes:
- Missing the leading service and protocol labels, such as
_sip._tcp. - Forgetting that the SRV target still needs A/AAAA records.
- Mixing up priority and weight.
PTR Records
PTR records map an IP address back to a hostname in a reverse DNS zone.
Name: 10.2.0.192.in-addr.arpa.
Type: PTR
Value: host.example.com.
TTL: 3600Use PTR records for reverse DNS, especially mail server reputation and infrastructure identification. In many cases, the IP address owner controls the reverse zone, not the domain owner.
Common mistakes:
- Trying to set PTR in the forward zone.
- Publishing PTR that does not match the server's forward A/AAAA records.
- Assuming you can control reverse DNS for cloud IPs without provider support.
Advanced Record Types
TLSA Records
TLSA records publish DANE certificate associations. They are only meaningful when DNSSEC validation protects the zone.
SSHFP Records
SSHFP records publish SSH host key fingerprints so clients can verify host keys through DNSSEC-protected DNS.
HTTPS Records
HTTPS records publish web service metadata such as HTTP/3 support, alternative endpoints, and ECH-related hints.
SVCB Records
SVCB records are the generic service-binding form behind HTTPS records.
ALIAS Records
ALIAS records provide CNAME-like behavior at the apex while allowing required apex records such as SOA, NS, MX, and TXT to coexist.
DNS Record Examples
| Task | Name | Type | Value | TTL |
|---|---|---|---|---|
| Point root domain to website | example.com. | A | 192.0.2.10 | 300 |
| Add IPv6 for website | example.com. | AAAA | 2001:db8::10 | 300 |
Point www to apex | www.example.com. | CNAME | example.com. | 3600 |
| Connect email provider | example.com. | MX | 10 mail.example.com. | 3600 |
| Publish SPF | example.com. | TXT | v=spf1 include:_spf.example.com -all | 3600 |
| Publish DMARC | _dmarc.example.com. | TXT | v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com | 3600 |
| Restrict certificate issuers | example.com. | CAA | 0 issue "letsencrypt.org" | 3600 |
| Publish service discovery | _sip._tcp.example.com. | SRV | 10 5 5060 sip.example.com. | 3600 |
| Use apex hostname alias | example.com. | ALIAS | target.example.net. | 300 |
To manage these as code, see Managing DNS with Terraform and the DNScale API records docs.
A Record vs CNAME Record
| Use case | A record | CNAME record |
|---|---|---|
| Points to | IPv4 address | Hostname |
| Can be used at zone apex | Yes | Usually no |
| Good for | Fixed IPs, root domains, coexistence with other records | Subdomains and third-party targets |
| Coexistence | Can coexist with some other record types | Must usually be the only record at that name |
| Operational risk | You must update IPs when they change | The target owner controls final IPs |
Use A records when you control the destination IP or need the apex domain. Use CNAME when a subdomain should follow a provider-controlled hostname. If you need CNAME-like behavior at the apex, use ALIAS records where supported.
DNS Records for Email
Email DNS usually combines several record types:
| Purpose | Record type | Name | Notes |
|---|---|---|---|
| Route inbound mail | MX | example.com. | Points to provider mail hosts |
| Authorize sending servers | TXT | example.com. | SPF policy |
| Verify signed mail | TXT or CNAME | selector._domainkey.example.com. | DKIM public key or selector delegation |
| Publish receiver policy | TXT | _dmarc.example.com. | DMARC policy and reporting |
| Advertise TLS policy | TXT | _mta-sts.example.com. | Optional MTA-STS |
| Report TLS failures | TXT | _smtp._tls.example.com. | Optional TLS-RPT |
Use the SPF validator, DKIM validator, and DMARC validator to check common email DNS mistakes. For the full email-authentication overview, read email security with SPF, DKIM, and DMARC.
DNS TTL Explained
TTL means time to live. It tells recursive resolvers how long they can cache an answer.
| TTL pattern | Use case | Trade-off |
|---|---|---|
| 60-300 seconds | Migrations, failover, changing records | Faster updates, more queries |
| 3600 seconds | Normal website and email records | Balanced cache behavior |
| 86400 seconds | Very stable records | Fewer queries, slower change visibility |
Lower TTLs before a planned migration, wait for old caches to expire, make the change, verify, then restore a normal TTL. For details, read DNS TTL best practices and use the DNS propagation checker after changes.
DNS Record Conflicts and Mistakes
| Mistake | Why it breaks | Fix |
|---|---|---|
| CNAME at same name as MX/TXT | CNAME cannot coexist with other record data | Use A/AAAA/ALIAS or move the conflicting record |
| CNAME at apex | Apex needs SOA and NS records | Use A, AAAA, or ALIAS |
| Missing MX target A/AAAA | Mail servers cannot resolve the mail host | Add address records for the MX target |
| Multiple SPF TXT records | SPF receivers expect one policy record | Merge SPF mechanisms into one TXT value |
| DMARC at wrong name | Receivers only check _dmarc | Publish at _dmarc.example.com. |
| CAA too restrictive | Certificate authority cannot issue | Add the CA your automation uses |
| TTL too high before migration | Old answers remain cached longer | Lower TTL before the change window |
| NS delegation mismatch | Parent and child authority disagree | Compare registrar NS and in-zone NS |
| DNSSEC DS mismatch | Validators return SERVFAIL | Coordinate DS and DNSKEY changes carefully |
For broad troubleshooting, see DNS troubleshooting, SERVFAIL explained, and NXDOMAIN explained.
How To Check DNS Records
Use the right tool for the question:
| Question | Tool |
|---|---|
| What does this record currently resolve to? | DNS lookup tool |
| Has my change reached public resolvers? | DNS propagation checker |
| Are delegation, SOA, DNSSEC, MX, SPF, DMARC, and CAA healthy? | Zone health check |
| Is my DNSSEC chain valid? | DNSSEC chain validator |
| Is my SPF record valid? | SPF validator |
| Is my DKIM selector valid? | DKIM validator |
| Is my DMARC policy valid? | DMARC validator |
After a DNS change, check authoritative answers first, then recursive resolver caches. A resolver serving the old answer may simply be honoring the previous TTL.
Managing DNS Records With DNScale
DNScale lets you manage authoritative DNS records through the dashboard, API, Terraform provider, and DNSControl.
| Method | Best for |
|---|---|
| Dashboard | Fast manual edits, exploration, emergency changes |
| API | Custom automation and application workflows |
| Terraform | Infrastructure-as-code teams using HCL and remote state |
| DNSControl | DNS-specific code workflows and multi-provider DNS |
If multiple people or environments touch DNS, pick one source of truth per zone. For Terraform, use the DNScale Terraform provider guide. For JavaScript-based DNS as code, use the DNSControl guide. For direct API automation, start with the records API docs.
Related Guides and Tools
| Resource | Why it helps |
|---|---|
| CNAME vs A record | Choose between IP mapping and hostname aliasing |
| DNS MX record explained | Configure email routing |
| DNS TXT record guide | SPF, DKIM, DMARC, and verification records |
| DNS TTL best practices | Plan cache behavior and migrations |
| Fully qualified domain names | Understand names, trailing dots, and record targets |
| DNS server types | Understand recursive, root, TLD, and authoritative servers |
| Managing DNS with Terraform | Manage records as code |
| DNS lookup tool | Query current records |
| DNS propagation checker | Compare resolver caches after changes |
| Zone health check | Audit production DNS and mail basics |
Start Managing Records Safely
Need to manage records across multiple domains? DNScale gives you authoritative DNS with dashboard editing, API access, Terraform, DNSControl, DNSSEC tooling, and record-checking tools for safe changes.
Frequently asked questions
- What are DNS record types?
- DNS record types define what kind of answer a DNS name provides. For example, A returns an IPv4 address, MX returns mail exchangers, TXT returns text values, and CAA controls certificate authority authorization.
- What is the difference between an A record and a CNAME record?
- An A record points directly to an IPv4 address. A CNAME points one hostname to another hostname. Use A records for apex domains and fixed IPs; use CNAME for subdomains that follow a third-party hostname.
- Which DNS records are required for a website?
- Most websites need A and/or AAAA records for the apex domain and either a CNAME or A/AAAA records for www. Some providers use ALIAS at the apex or HTTPS records for modern connection hints.
- Which DNS records are required for email?
- Email usually needs MX records for routing plus TXT records for SPF and DMARC. DKIM is commonly a TXT record, though some email providers use CNAME records for selector delegation.
- What is a TXT record used for?
- TXT records store text values. Common uses include SPF, DKIM, DMARC, domain ownership verification, MTA-STS reporting, and service-specific verification tokens.
- What is the difference between SPF, DKIM, and DMARC records?
- SPF authorizes sending servers, DKIM publishes a public key used to verify signed messages, and DMARC tells receivers what to do when SPF and DKIM alignment fail.
- What is a CAA record?
- A CAA record tells public certificate authorities which CAs are allowed to issue TLS certificates for a domain. A restrictive CAA record can block certificate issuance if it does not list the CA you use.
- What does TTL mean in DNS records?
- TTL is the time to live in seconds. It tells recursive resolvers how long they may cache a DNS answer before asking again.
- Can a CNAME record be used at the root domain?
- Usually no. The root or apex name must also hold SOA and NS records, and a CNAME cannot coexist with other record data. Use A, AAAA, or provider-supported ALIAS records instead.
- How do I check which DNS records a domain has?
- Use a DNS lookup tool for a specific record type, a propagation checker after changes, a zone health check for broad DNS and mail checks, and a DNSSEC checker for signed zones.
Related guides
Records
DNS A Record Explained — What It Is and How to Use It
Learn what a DNS A record is, how it maps domain names to IPv4 addresses, and how to create, query, and troubleshoot A records with practical dig command examples.
Records
DNS AAAA Record Explained — IPv6 Address Mapping
Learn what a DNS AAAA record is, how it maps domain names to IPv6 addresses, and how to set up dual-stack DNS with practical dig command examples.
Records
DNS CNAME Record Explained — Aliases and Canonical Names
Learn how DNS CNAME records create domain aliases, when to use them over A records, and how to avoid common pitfalls like apex restrictions and CNAME chains.
Records
DNS MX Record Explained — Mail Exchange Configuration
Learn how DNS MX records route email to mail servers, configure priority-based failover, and set up MX records for Google Workspace, Microsoft 365, and self-hosted mail.
Ready to manage your DNS with confidence?
DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.
Start free