DNS (Domain Name System) is the internet's phone book — it translates human-readable domain names into IP addresses that servers understand. For developers, DNS misconfigurations are one of the most common causes of mysterious site outages and email delivery failures.
This guide covers everything you need to know.
How DNS Works (in 60 seconds)
When a user types websitelinter.com into their browser:
- Browser checks its local cache
- If not cached, asks the OS resolver
- OS resolver asks a recursive resolver (usually your ISP or
8.8.8.8) - Recursive resolver walks the DNS tree: Root → TLD (
.com) → Authoritative nameserver - Authoritative nameserver returns the IP address
- Browser connects to the IP and loads your site
This entire process usually takes under 50ms and is cached for a duration specified by the TTL.
DNS Record Types
A Record
Maps a domain to an IPv4 address.
websitelinter.com. 300 IN A 104.21.44.123
AAAA Record
Maps a domain to an IPv6 address.
websitelinter.com. 300 IN AAAA 2606:4700:3032::ac43:c8b3
CNAME Record
Creates an alias that points to another domain name (not an IP).
www.websitelinter.com. 300 IN CNAME websitelinter.com.
Important: You cannot use a CNAME at the apex (root) domain. For
websitelinter.com, you need an A record or a CNAME-flattening feature (which Cloudflare calls "CNAME at root").
MX Record
Specifies mail servers for your domain. The priority value (lower = higher priority):
websitelinter.com. 300 IN MX 10 mail.example.com.
websitelinter.com. 300 IN MX 20 mail2.example.com.
TXT Record
Arbitrary text data — used for domain verification, SPF, DKIM, DMARC, and more.
websitelinter.com. 300 IN TXT "v=spf1 include:_spf.google.com ~all"
NS Record
Delegates DNS authority to nameservers.
websitelinter.com. 86400 IN NS ns1.cloudflare.com.
SOA Record
Start of Authority — contains metadata about the zone (primary nameserver, admin email, serial number).
SRV Record
Service locator records — used by XMPP, SIP, and other protocols.
_sip._tcp.example.com. 86400 IN SRV 10 20 5060 sip.example.com.
CAA Record
Certificate Authority Authorization — restricts which CAs can issue SSL certs for your domain.
websitelinter.com. 300 IN CAA 0 issue "letsencrypt.org"
Understanding TTL
TTL (Time to Live) is the number of seconds DNS resolvers should cache a record. It's a trade-off:
| TTL | Pros | Cons |
|---|---|---|
| Short (60–300s) | Fast propagation on changes | More DNS queries, slightly slower resolution |
| Long (3600–86400s) | Fewer queries, faster resolution | Slow propagation when you change records |
Best practice: Lower your TTL to 300s (5 min) before making a critical DNS change, wait for the old TTL to expire, then make the change. Afterwards, restore the higher TTL.
DNS Propagation
"DNS propagation" refers to the time it takes for changes to spread across the internet's recursive resolvers. It's widely misunderstood:
- Your authoritative nameserver updates instantly
- Recursive resolvers worldwide hold cached copies until TTL expires
- "Propagation" can take minutes to 48 hours, depending on TTL and resolver behavior
Use dnschecker.org to see what different resolvers worldwide are returning for your domain. If you see inconsistent results, resolvers are still serving the cached old record.
Email DNS: SPF, DKIM, and DMARC
Three TXT records that drastically improve email deliverability and prevent spoofing:
SPF (Sender Policy Framework)
Lists which IP addresses and services are authorized to send email for your domain:
"v=spf1 include:_spf.google.com include:sendgrid.net ~all"
~all= soft fail (mark as suspicious but deliver)-all= hard fail (reject)
DKIM (DomainKeys Identified Mail)
Adds a cryptographic signature to outgoing emails. Your email provider generates a key pair; you publish the public key as a TXT record:
google._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B..."
DMARC
Ties SPF and DKIM together and tells receiving servers what to do with emails that fail checks:
_dmarc.example.com. TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"
p=none— monitor onlyp=quarantine— send to spamp=reject— reject outright
DNSSEC
DNSSEC adds cryptographic signatures to DNS responses, preventing DNS cache poisoning attacks where an attacker tricks resolvers into returning fraudulent IP addresses.
Enabling DNSSEC requires:
- Your DNS provider to sign your zone
- Publishing a DS record with your registrar
Cloudflare and Route 53 both support DNSSEC and handle most of the complexity automatically.
Common DNS Mistakes
Forgetting to lower TTL before changes
Always pre-lower TTL before a planned migration. If you change your A record while TTL is 86400, some users may see the old IP for up to 24 hours.
Using CNAME at the apex
This violates RFC 1034. Use A records or a service with CNAME flattening.
Missing SPF/DKIM/DMARC
Without these, your transactional emails are likely hitting spam. Gmail and Outlook now reject or flag email from domains without proper DMARC policies.
Broken CAA records after cert provider switch
If you move from DigiCert to Let's Encrypt but your CAA record still says issue "digicert.com", your new cert issuance will fail.
Forgetting trailing dots
In zone files, a domain without a trailing dot is relative to the zone origin. mail.example.com and mail.example.com. mean different things in a zone file.
Tools for Debugging DNS
dig websitelinter.com A— query a specific record typedig +trace websitelinter.com— trace the full DNS resolution pathnslookup websitelinter.com 8.8.8.8— query Google's resolver specifically- dnschecker.org — check propagation globally
- mxtoolbox.com — email DNS diagnostics
Checking Your Site's DNS Health
A misconfigured DNS record can cause SSL certificate failures, email delivery problems, and intermittent outages. Website Linter scans your site's technical configuration — run a free audit to check your current state alongside performance, security headers, and SEO signals all in one report.