Domain Name Records Overview: A-record, MX, DKIM, SPF, SRV

A RECORD (A-host):

– What: address record (A-record) specifies the IP address(es) of a given domain. In the case of IPv6, this is called an AAAA record.
– Why: name to address translation is necessary for users to type in a name to get to an IP address of the web server
– Who: domain admin sets these up, and these affect all users of the domain
– How: record type: value: TTL
@ A x.x.x.x 14400

MX (Mail Exchange):

– What: mail exchange (MX) records direct emails toward designated mail servers. These are like CNAME records for name servers with the difference in their marking as designated for mailings
– Why: these entries control how email messages should be routed in accordance with the Simple Mail Transfer Protocol (SMTP)
– Who: domain admins can edit these records
– How: below is an example of setting mail records of a domain toward 2 mail servers with different priorities record type: priority: value: TTL
@ MX 10 45000
@ MX 20 45000

SPF (Sender Policy Framework):

– What: Sender Policy Framework (spf) is a type of TXT record in your DNS zone
– Why: SPF records help identify which mail servers are permitted to send email on behalf of your domain. These records prevent spammers from sending emails with a forged ‘From’ addresses of your domain
– Who: domain admins can make these changes. Users benefit from not receiving forged emails, and would correctly receive emails being sent from company servers.
– How (examples):
a. Simple:
- v=spf1 ~all (Google)
- v=spf1 ~all (Microsoft)
b. Complex:
- v=spf1 ip4:IP.ADDRESS.HERE/NETMASK ~all (Google)
- v=spf1 ip4:IP.ADDRESS.HERE/NETMASK ~all (Microsoft)
- v=spf1 ip4:IP.ADDRESS.HERE/NETMASK ~all (Google, Microsoft, ClickDimensions, Autotask)


  • v=spf1 : marks spf protocol version (version 1 is the most commonly used protocol by email servers as of this writing)
  • ip4 or ip6 : specifies the IP address versioning. A single IP or a summarized subnet/supernet are acceptable
  • mx : allows the MX servers to send mail
  • include : allows a third-party to send emails on your domain’s behalf
  • a : allows the current IP to send mail
  • +all : allows any IP to send emails on this domain’s behalf
  • -all : allows no other IP’s to send emails on the domain’s behalf
  • ~all : allows all IP’s to send emails on your domain’s behalf, while messages would be marked
DKIM  (DomainKeys Identified Mail):

– What: it’s an email record associated with certain domains. These are composed of a selector and a public key. There is a private key that is installed on the email server, and is its alternate hashes are attached to email headers. Only the public key is added as the domain’s DNS record. The receiving email server performs keys matching to determine if the email is legitimate (not spam)
– Why: to prevent email spoofing
– Who: domain admins make these changes
– How: (source: Google)

  1.  Generate the domain key for your domain (For Google: https://
  2.  Add the public key to your domain’s DNS records
    • Example: 300 IN TXT "v=DKIM1; k=rsa; p=SOMEHASH" "MOREHASH"
  3.  Add DKIM onto email server(s) to start adding a DKIM signature to all outgoing messages
    • Example: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google;
SRV (Service Records):

– What: service (SRV) records specify hosts and ports for services such as VoIP, instant messaging, domain proof of ownership, etc.
– Why: these records include IP address and port information that other type of DNS records do not have the option. Some Internet protocols require the use of SRV records in order to function.
– Who: domain admins manage these at DNS zone control panels
– How: SRV records must point to an A record (in IPv4) or an AAAA record (in IPv6), not CNAME. Below are some examples
_sip._tls.@ 100 1 443 (Microsoft Lync)
_sipfederationtls._tcp.@ 100 1 5061 (Microsoft Lync) 86400 IN SRV 10 5 5223 (xmpp server)

Leave a Reply

Your email address will not be published. Required fields are marked *