Skip to content

Setting up DNS properly: A checklist for a clean start

Not everyone needs to worry about hackers. But everyone benefits from a clean DNS configuration. Here's what you can get right from the start.

Why start clean?

Not every DNS setup is about attacks. Sometimes you just want:

• Your emails not landing in spam
• Your certificate renewing without issues
• To still know in a year why each record exists
• An auditor not raising their eyebrows

A clean DNS configuration is like a tidy desk. No obligation – but it makes everything easier.

The basics: What every domain should have

A/AAAA Record

Points to your server. Sounds obvious, but: If you use a load balancer or CDN, point with a CNAME instead of a fixed IP. Then you don't have to touch DNS when IPs change.

MX Record

Even if you don't (yet) receive emails: Set an MX record. Either to your mail provider or to a null MX (0 .) that explicitly says "this domain doesn't receive mail." That's better than nothing – because "no MX" is interpreted by some systems as "try the A record."

SPF Record

Minimum: v=spf1 -all if you don't send emails. This says: Nobody may send mail from this domain. If you do send mail, list your providers: v=spf1 include:_spf.google.com -all

Important: Only one SPF record per domain. Multiple ones get ignored.

DMARC Record

Minimum: v=DMARC1; p=reject; rua=mailto:dmarc@your-domain.com

This says: Reject mails that fail SPF/DKIM, and send me reports. If you're unsure, start with p=none to observe – but don't forget to switch to reject eventually.

The next level: What's often forgotten

CAA Record

Define which CA may issue certificates for your domain:

example.com. CAA 0 issue "letsencrypt.org"

Costs nothing, takes 30 seconds, prevents someone else from getting a valid certificate for your domain. No reason not to do it.

DKIM

If you send emails, set up DKIM. Your mail provider (Google Workspace, Microsoft 365, Amazon SES) gives you the public key – you add it as a TXT record. This lets the recipient verify the mail really came from you and wasn't altered in transit.

Null records for unused subdomains

If you have subdomains that do nothing (staging.example.com, old.example.com): Set explicit SPF and DMARC records there too. Otherwise attackers can use those subdomains for mail spoofing.

Keeping things tidy

Document your records

Write down why each record exists. In a year you'll ask: "What's this TXT record with the cryptic value?" If the answer is "domain verification for a service we no longer use" – delete it.

Clean up regularly

DNS records accumulate. Old verification records, test subdomains, records for services long cancelled. Every unnecessary record is a potential attack surface – or at least confusion.

Use short TTLs only when needed

Default TTL of 3600 (1 hour) or higher makes sense for most records. Short TTLs (60-300 seconds) only for records that change frequently. Why? Short TTLs mean more DNS queries and make changes harder to trace.

The simplest next step

You don't have to do everything at once. But a good first step:

1. Check if you have SPF, DMARC, and CAA set
2. If not: Set them. Takes 10 minutes.
3. Take a screenshot or export your DNS zone
4. In a month: Compare. Did anything change that you didn't expect?

Or even simpler: Let Driftguard capture the current state and notify you when something changes. Not because you need to fear hackers – but because order feels good.