Networking
How to Configure DNS for Your Domain
DNS maps your domain to your servers and tells the world how to deliver your mail. This guide covers the core record types, the three email-authentication records that keep your mail out of spam folders, and how to verify everything with dig.
Understand the Core Record Types
Each record type does one job. A points to an IPv4 address, AAAA to IPv6, CNAME aliases one name to another, MX routes email, and TXT holds verification and policy strings.
# A -> IPv4 address of your server # AAAA -> IPv6 address of your server # CNAME -> alias one hostname to another (e.g. www -> yourdomain.com) # MX -> which mail server receives email, with a priority number # TXT -> free-form text, used for SPF/DKIM/DMARC and domain verification
Lower the TTL Before Migrating
If you are moving an existing live domain, drop the TTL to 300 seconds at least 24 hours in advance. Short TTLs mean resolvers pick up your new records within minutes, not days, so a cutover is quick and reversible.
# Set TTL to 300 (5 minutes) on records you plan to change, a day BEFORE the move: Type: A Name: @ Value: old_server_ip TTL: 300 # After the migration is confirmed stable, raise TTL back to 3600 to reduce query load
Create A and AAAA Records
Point the bare domain to your server's IPv4 and, if available, IPv6 address.
Type: A Name: @ Value: your_server_ipv4 TTL: 3600 Type: AAAA Name: @ Value: your_server_ipv6 # only if your server has IPv6 TTL: 3600
Add the www Alias and Mail Routing
Alias www to your root domain with a CNAME, then add an MX record so other servers know where to deliver your email.
Type: CNAME Name: www Value: yourdomain.com TTL: 3600 Type: MX Name: @ Value: mail.yourdomain.com # this hostname needs its own A record Priority: 10 TTL: 3600
Authenticate Your Mail with SPF, DKIM, and DMARC
These three TXT records prove your mail is genuine and dramatically cut spoofing and spam filtering. SPF lists who may send for you, DKIM signs messages, and DMARC tells receivers what to do when a check fails.
# SPF: authorize your mail server, reject everything else (-all) Type: TXT Name: @ Value: "v=spf1 mx -all" # DKIM: publish the public key your mail server generated (selector shown as 'default') Type: TXT Name: default._domainkey Value: "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY" # DMARC: start at quarantine and collect reports, then tighten to p=reject later Type: TXT Name: _dmarc Value: "v=DMARC1; p=quarantine; rua=mailto:[email protected]; adkim=s; aspf=s"
Verify Every Record with dig
Query each record directly so you can confirm it is live before you rely on it. Use +short for clean output.
dig +short A yourdomain.com dig +short AAAA yourdomain.com dig +short CNAME www.yourdomain.com dig +short MX yourdomain.com dig +short TXT yourdomain.com # shows your SPF record dig +short TXT _dmarc.yourdomain.com # shows your DMARC policy
Your domain now resolves correctly and your mail is authenticated with SPF, DKIM, and DMARC. Lower TTLs before any future migration, verify with dig, and move DMARC to p=reject once your reports confirm only legitimate mail is being sent.