DNS Record Types Explained: A Complete Guide

If DNS is the phone book of the internet, record types are the different kinds of listings inside it. Some hold addresses, some hold instructions for mail servers, some authenticate the domain itself. This guide walks through every common record type, with a real example for each and the pitfalls that catch people out.

A — IPv4 address

The most fundamental record. An A record maps a hostname to a 32-bit IPv4 address. When you ask "what's the IP of example.com?", you're asking for its A record.

example.com.    IN  A   93.184.216.34

Common gotcha: a domain can have multiple A records, and resolvers may return them in any order (round-robin). Don't assume the first IP is "the real one."

AAAA — IPv6 address

Same role as A, but for 128-bit IPv6 addresses. The four As are pronounced "quad-A".

example.com.    IN  AAAA  2606:2800:220:1:248:1893:25c8:1946

Common gotcha: if your site has only AAAA records, IPv4-only clients can't reach it. Always publish both unless you have a deliberate IPv6-only strategy.

CNAME — canonical name

A CNAME points one name at another name. blog.example.com with a CNAME pointing at example.wordpress.com means "whatever the resolver finds for the right side, use that for the left side."

blog.example.com.   IN  CNAME   example.wordpress.com.

Common gotcha: a CNAME record cannot coexist with any other record at the same name. That's why you can't put a CNAME on the apex (example.com itself) — the apex must hold SOA and NS records. Cloudflare, Route 53, and others work around this with "ALIAS" or "CNAME flattening", which are not real DNS records but provider-side tricks.

MX — mail exchange

Tells sending mail servers where to deliver email for this domain. Each MX record has a priority (lower = higher priority) and a hostname.

example.com.  IN  MX  10  mail.example.com.
example.com.  IN  MX  20  mail2.example.com.

Common gotcha: the MX value must be a hostname, not an IP address. The hostname itself then needs an A or AAAA record. And don't point MX at a CNAME — it's technically forbidden by RFC and some mail servers refuse to deliver.

TXT — text record

The general-purpose record. Used for SPF, DMARC, DKIM, domain ownership verification, MTA-STS policies, and a hundred other things. TXT records are just strings.

example.com.  IN  TXT  "v=spf1 include:_spf.google.com -all"
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

Common gotcha: a TXT record's value is limited to 255 characters per string. Long DKIM keys are split into multiple quoted strings that resolvers concatenate — make sure your DNS UI doesn't break them.

NS — nameserver

NS records tell the world which servers are authoritative for a zone. Your registrar typically sets these at the parent zone, and the same records also appear inside the zone itself.

example.com.  IN  NS  ns1.example.com.
example.com.  IN  NS  ns2.example.com.

Common gotcha: NS records at the registrar (parent zone) and NS records inside your zone must agree. If you change one and forget the other, the difference is called "lame delegation" and it causes intermittent resolution failures.

SOA — start of authority

Every zone has exactly one SOA record at its apex. It contains the primary nameserver, the zone administrator's email (with the first dot replaced by an @), and a handful of timers including the serial number that secondary nameservers use to detect zone updates.

example.com.  IN  SOA  ns1.example.com. hostmaster.example.com. (
                  2026053001  ; serial
                  3600        ; refresh
                  600         ; retry
                  604800      ; expire
                  300 )       ; minimum TTL

Common gotcha: the serial number must increase every time the zone changes, or secondaries won't pick up your update. Most managed DNS providers do this automatically; if you edit raw zone files, you have to remember.

SRV — service locator

SRV records advertise the host and port for a specific service. Most famously used by SIP, XMPP, and Microsoft services like _autodiscover.

_sip._tcp.example.com.  IN  SRV  10 5 5060 sipserver.example.com.

The four numbers are: priority, weight, port, target. Used in combination so applications can do load balancing without being told the IP directly.

CAA — certificate authority authorization

Tells public certificate authorities (Let's Encrypt, DigiCert, etc.) whether they're allowed to issue certs for your domain. Without a CAA record, any CA can issue.

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 iodef "mailto:security@example.com"

Common gotcha: CAA is checked at issuance time only. Adding a CAA record won't revoke existing certs from CAs you've now excluded — they remain valid until they expire.

PTR — reverse pointer

Maps an IP back to a hostname — the opposite of A/AAAA. Lives under the special .in-addr.arpa (IPv4) and .ip6.arpa (IPv6) zones.

34.216.184.93.in-addr.arpa.  IN  PTR  example.com.

Common gotcha: only the owner of the IP range can set the PTR — usually your hosting provider or ISP, not you. PTR matters most for outbound mail, where receiving servers often reject mail from IPs without matching forward/reverse DNS.

DNSKEY, DS, RRSIG — DNSSEC

DNSSEC records cryptographically sign your DNS data so resolvers can verify the answer wasn't tampered with in transit.

• DNSKEY — the public key used to sign records in your zone.
• DS — a hash of your DNSKEY, published in the parent zone, establishing the chain of trust.
• RRSIG — the signature attached to every signed record set.

If you see these records, the domain is DNSSEC-signed — a good thing.

SVCB and HTTPS — service binding

The new kids on the block (RFC 9460). HTTPS records let a client discover ALPN protocols, IP hints, and an Encrypted Client Hello config in a single DNS lookup, replacing the older "send a request first, then learn the protocol" handshake.

example.com.  IN  HTTPS  1 . alpn="h3,h2" ipv4hint="93.184.216.34"

Most browsers in 2025+ check for HTTPS records before connecting. If yours is set up correctly, page loads are noticeably faster.

SPF, HINFO, NAPTR, TLSA, SSHFP — the rest

• SPF — was its own record type before being absorbed into TXT. Some legacy systems still publish a parallel SPF record; modern best practice is TXT only.
• HINFO — historical record for hardware/OS info. Mostly seen as a privacy-friendly response from nslookup ANY.
• NAPTR — used by VoIP and ENUM for telephone-number routing.
• TLSA — DANE record, binds a TLS certificate to a name via DNSSEC.
• SSHFP — SSH host key fingerprints in DNS, for SSH clients that verify against DNSSEC.

Looking up records yourself

The fastest way to inspect every record type at once is DNS Export's lookup tool — paste a domain and it queries all 22 types in parallel and lays them out in a clean table. You can also compare across resolvers to spot caching delays.

Further reading

• SPF, DKIM, and DMARC explained for non-experts
• How DNS propagation works (and why it takes time)