ZoneWatcher
Features Integrations Compliance Pricing FAQ Blog
Sign In Register

The Complete Guide to DNS Record Types (2026 Edition)

Tom Schlick · 6 min read

This guide covers the record types you'll actually encounter: from the basics everyone should know to the newer types that are increasingly relevant.

The Essentials

A Record

A records map a hostname to an IPv4 address. This is the most fundamental DNS record.

example.com.    300    IN    A    93.184.216.34

Most websites have at least one A record. You can have multiple A records for the same name to distribute traffic across servers.

AAAA Record

AAAA records work the same way as A records, but for IPv6 addresses.

example.com.    300    IN    AAAA    2606:2800:220:1:248:1893:25c8:1946

With IPv4 address space exhausted, AAAA records are no longer optional for production services. If your infrastructure supports IPv6, publish AAAA records.

CNAME Record

CNAME records create an alias from one name to another. When a resolver encounters a CNAME, it follows the chain to the target and returns that record's address.

www.example.com.    300    IN    CNAME    example.com.
blog.example.com.   300    IN    CNAME    hosting.provider.com.

Restrictions: A CNAME cannot coexist with other record types at the same name. You cannot place a CNAME at the zone apex (example.com) because it would conflict with the SOA and NS records that must exist there.

MX Record

MX records specify where to deliver email for a domain. The priority value determines the order; lower numbers are tried first.

example.com.    300    IN    MX    10 mail1.example.com.
example.com.    300    IN    MX    20 mail2.example.com.

If mail1 is unreachable, the sending server falls back to mail2. Remove MX records and email to your domain stops working.

TXT Record

TXT records store arbitrary text. Originally designed for human-readable notes, they now carry critical machine-readable data: SPF policies, DKIM public keys, DMARC policies, domain ownership verification, and more.

example.com.    300    IN    TXT    "v=spf1 include:_spf.google.com -all"

A single domain often has multiple TXT records for different purposes.

NS Record

NS records delegate authority for a domain to specific nameservers.

example.com.    86400    IN    NS    ns1.dnsprovider.com.
example.com.    86400    IN    NS    ns2.dnsprovider.com.

NS records at the zone apex define which nameservers are authoritative for your entire domain. NS records on subdomains delegate those subdomains to different nameservers.

SOA Record

The SOA record (Start of Authority) contains administrative metadata about the zone: the primary nameserver, the responsible party's email, serial number, and timing values for zone transfers and caching.

example.com.    86400    IN    SOA    ns1.example.com. admin.example.com. (
    2026030601  ; serial
    3600        ; refresh
    900         ; retry
    1209600     ; expire
    86400       ; minimum TTL
)

Every zone has exactly one SOA record. The serial number should increment with every change; it's how secondary nameservers know when to pull updates.

Email Authentication Records

SPF (via TXT)

Published as a TXT record, SPF declares which servers are authorized to send email for your domain. See our detailed guide on SPF, DKIM, and DMARC for more.

DKIM (via TXT)

Published as a TXT record on a selector subdomain (e.g., google._domainkey.example.com), DKIM contains the public key used to verify email signatures.

DMARC (via TXT)

Published as a TXT record on _dmarc.example.com, DMARC sets the policy for handling emails that fail SPF and DKIM checks.

Service Discovery and Routing

SRV Record

SRV records specify the hostname and port for a particular service. Used by protocols like SIP, XMPP, LDAP, and others that need to locate services dynamically.

_sip._tcp.example.com.    300    IN    SRV    10 60 5060 sipserver.example.com.

The format is: priority, weight, port, target. Priority works like MX. Weight breaks ties between equal-priority targets.

HTTPS / SVCB Records

HTTPS records are newer record types (RFC 9460) that let clients discover HTTPS service parameters directly from DNS, including supported protocols, port numbers, and alternative endpoints.

example.com.    300    IN    HTTPS    1 . alpn="h2,h3" ipv4hint=93.184.216.34

HTTPS records can eliminate the HTTP-to-HTTPS redirect step and enable HTTP/3 discovery without a prior HTTP/2 connection. Browser support is now widespread.

CAA Record

CAA records (Certificate Authority Authorization) specify which CAs are permitted to issue SSL/TLS certificates for your domain.

example.com.    300    IN    CAA    0 issue "letsencrypt.org"
example.com.    300    IN    CAA    0 iodef "mailto:security@example.com"

CAs are required to check CAA records before issuing certificates. This prevents unauthorized CAs from issuing certificates for your domain, a meaningful defense against misissuance.

DNSSEC Records

DNSKEY Record

DNSKEY records contain the public keys used to sign the zone's records. Resolvers use these to verify RRSIG signatures.

RRSIG Record

RRSIG records contain the cryptographic signature for a record set. Every signed record type in a DNSSEC-enabled zone has a corresponding RRSIG.

DS Record

DS records (Delegation Signer) are published in the parent zone and contain a hash of the child zone's key-signing key. This links the chain of trust between parent and child zones.

NSEC / NSEC3 Records

Prove that a queried name or record type doesn't exist. This prevents attackers from forging negative responses.

Infrastructure Records

PTR Record

PTR records are the reverse of A records; they map an IP address back to a hostname. Used in reverse DNS lookups, primarily for email server verification and network diagnostics.

34.216.184.93.in-addr.arpa.    300    IN    PTR    example.com.

PTR records live in the in-addr.arpa (IPv4) or ip6.arpa (IPv6) zones, which are managed by whoever controls the IP address block.

ALIAS / ANAME Record

ALIAS and ANAME records are non-standard record types supported by some DNS providers that behave like a CNAME but can be used at the zone apex. The DNS provider resolves the target and returns the resulting A/AAAA records directly.

example.com.    300    IN    ALIAS    loadbalancer.provider.com.

Not universally supported and not part of the official DNS specification, but widely used in practice to solve the "CNAME at apex" problem.

SSHFP Record

SSHFP records store the fingerprint of an SSH server's public key. SSH clients can verify the server's key against DNS instead of relying on the user to manually verify the fingerprint on first connection.

server.example.com.    300    IN    SSHFP    4 2 abc123...

Requires DNSSEC to be useful; without it, an attacker who can forge DNS responses could also forge the SSHFP record.

TLSA Record

TLSA records are used with DANE (DNS-based Authentication of Named Entities) to associate TLS certificates with domain names via DNS rather than relying solely on Certificate Authorities.

_443._tcp.example.com.    300    IN    TLSA    3 1 1 abc123...

Like SSHFP, TLSA depends on DNSSEC for its security model.

HINFO Record

HINFO records are an older record type that stores host information (CPU type and operating system). Rarely used today because exposing this information is a security concern, but you'll still encounter them in legacy zones.

What to Monitor

Every record type in this guide can be modified. Unauthorized changes to any of them can cause problems ranging from minor (broken subdomain) to severe (email interception, traffic hijacking, certificate misissuance).

The records that matter most for DNS monitoring: A, AAAA, MX, NS, TXT (SPF/DKIM/DMARC), CAA, DS, and DNSKEY. A change to any of these without a corresponding change request is worth investigating immediately.

Ready to protect your DNS?

Start your free trial today and get full access to all monitoring features.

Start Trial View Pricing