DNS Record Types Reference
What A, AAAA, MX, TXT, CNAME, NS, SOA, SRV, and CAA records do — and when you'd actually use each one.
The 9 DNS record types you'll actually use
DNS has dozens of record types in the wild — most are obscure or deprecated. These nine cover ~99% of real-world setups.
| Type | What it points to | Common use |
|---|---|---|
| A | IPv4 address | example.com → 192.0.2.1 |
| AAAA | IPv6 address | example.com → 2001:db8::1 |
| CNAME | Another hostname | www.example.com → example.com |
| MX | Mail server | Where email for this domain goes |
| TXT | Arbitrary text | SPF, DKIM, domain verification |
| NS | Name server | Which servers are authoritative for this zone |
| SOA | Zone metadata | One per zone, contains serial and refresh timing |
| SRV | Service location | SIP, XMPP, Microsoft AD service discovery |
| CAA | Cert authority authorization | Limits which CAs can issue certs for the domain |
A vs. AAAA
"A" is for IPv4, "AAAA" (four As, "quad-A") is for IPv6. The names predate IPv6 — the original record type was just A; quad-A reflects the four-times-larger address space. A domain can have both, and modern resolvers prefer AAAA when available.
CNAME — what it is and what it isn't
A CNAME makes one hostname an alias for another. Your DNS server returns the target's records when asked.
Critical limitation: CNAMEs cannot coexist with other records at the same name. So you can't have a CNAME at the apex (example.com itself) if you also have MX records there — and you usually do. That's why www.example.com can be a CNAME but example.com can't. Modern DNS providers offer "ALIAS" or "ANAME" records to work around this.
MX records and priority
MX records have a priority number. Lower = higher priority. A typical setup:
| Priority | Mail server |
|---|---|
| 10 | mx1.example.com |
| 20 | mx2.example.com |
| 30 | backup.example.com |
Senders try the lowest-priority server first. Multiple records at the same priority round-robin.
TXT records — the workhorse
The most-used record type after A. TXT records hold:
- SPF (Sender Policy Framework) — which servers are allowed to send email for this domain. Looks like
v=spf1 include:_spf.google.com ~all. - DKIM public keys — for cryptographic email signing.
- DMARC policy — what to do when SPF/DKIM fail.
- Domain ownership verification — Google, Microsoft, AWS, etc. all use TXT records for "prove you own this domain."
SOA and NS — the boring but important ones
Every DNS zone has exactly one SOA record. It contains:
- Serial number — incremented on every change. Slaves use this to detect when to re-sync.
- Refresh / retry / expire / minimum TTL — timing controls for how slaves and resolvers cache the zone.
NS records list the name servers authoritative for the zone. The parent zone (e.g., the .com servers) also publishes NS records pointing at the same hosts — this is called "delegation."
CAA — the one most people don't know about
CAA (Certification Authority Authorization) records tell certificate authorities whether they're allowed to issue TLS certs for your domain. If you only use Let's Encrypt, a record like:
example.com. CAA 0 issue "letsencrypt.org"
...prevents any other CA from issuing a cert for your domain. Useful defense against certain attack vectors.