Domains, Email, and Security
The Complete Beginner’s Guide to Domains, Email, and Security
Understanding Domian and Sub-Domain
Domain (Main Address)
A domain is like the main address of your house on the internet.
Example: example.com
It’s what people type in the browser to visit your website.
Think of it like:
Street name + house number = domain
It uniquely identifies your website.
Subdomain (Extra Room/Section of the House)
A subdomain is like an extra section or room of your house that still belongs to the same main address.
Example: blog.example.com or shop.example.com
It helps separate parts of your website into different areas.
Think of it like:
example.com = your whole house
blog.example.com = a special room just for your blog
shop.example.com = another room just for your shop
Domain and Email
Your domain (example.com) is not just for websites — it’s also used for email addresses.
Example:
Website: example.com
Email: alice@example.com
So when you send an email, the world sees your domain in the sender address.
Subdomain and Email
Sometimes companies use subdomains for email traffic.
Example: news.example.com or mail.example.com
Why? To separate marketing emails, newsletters, or transactional emails from the main domain so spam problems don’t affect the main one.
DNS Records
DNS records are like the “instruction manual” for your domain. They tell the internet:
Where to send visitors (web server)
Where to deliver emails
How to check if an email is legitimate
Which servers are in charge of your domain
Think of them as the blueprints of your digital house.
DNS Records for Your Website
A Record (Address Record)
Purpose: Points your domain name to an IP address (IPv4).
Example: example.com → 192.0.2.1
Think of it like saying: “If someone visits example.com, send them to the server at this address.”
AAAA Record (Quad A Record)
Purpose: Same as A record, but for IPv6 addresses.
Example: example.com → 2001:db8::1
CNAME Record (Canonical Name Record)
Purpose: Points one domain or subdomain to another domain name.
Example: www.example.com → example.com
Think of it like an alias or nickname.
“If someone visits www.example.com, just use example.com instead.
MX Record (Mail Exchange Record)
Purpose: Tells where to deliver emails for your domain.
Example: example.com → mail.protection.outlook.com
Think of it like a postal address for your email.
TXT Record (Text Record)
Purpose: Stores text data — often used for email security (SPF, DKIM, DMARC) and verification.
Example: "v=spf1 include:spf.protection.outlook.com -all"
Think of it like a note on your domain that helps verify ownership or set rules.
NS Record (Name Server Record)
Purpose: Points to the servers that control your DNS records.
Example: example.com → ns1.cloudflare.com, ns2.cloudflare.com
Think of it like: “These are the servers in charge of managing my domain’s instructions.”
PTR Record (Pointer Record)
Purpose: Reverse of the A record — links an IP address back to a domain.
Used for email reputation and reverse DNS checks.
Helps prevent spam.
SRV Record (Service Record)
Purpose: Defines servers for specific services (like SIP, XMPP, or Microsoft services).
Example: _sip._tcp.example.com → sipserver.example.com
SOA Record (Start of Authority)
Purpose: Contains basic info about your domain’s DNS — who manages it, when it was last updated, etc.
Example: ns1.example.com admin.example.com 2025100601 3600 1800 1209600 86400
Email Security Uses These Records:
Authorize senders
TXT (SPF)
"v=spf1 include:spf.protection.outlook.com -all"
Sign emails
TXT (DKIM)
"v=DKIM1; k=rsa; p=..."
Policy + reporting
TXT (DMARC)
"v=DMARC1; p=reject; rua=mailto:dmarc@..."
Email server
MX
"mail.protection.outlook.com"
Why you need these: Without them, browsers wouldn’t know where to find your website.
In short:
A / AAAA → point to servers
CNAME → alias/nickname
MX → email routing
TXT → security & verification (SPF, DKIM, DMARC)
NS → who controls DNS
PTR → reverse lookup
SRV / SOA → special services & metadata
Going deeper into the values inside each DNS record that’s used for email security (SPF, DKIM, and DMARC)
SPF Record (TXT Record Type)
v=spf1 include:spf.protection.outlook.com -all
Breakdown of Each Value:
v=spf1
Version
Says “this is an SPF record.” Always starts like this.
include:spf.protection.outlook.com
Include Rule
Means “allow Microsoft (Outlook/Office 365) servers to send email for my domain.”
-all
Policy
Means “emails from any other server should be rejected.”
(optional) ~all
SoftFail
Means “suspicious, but don’t reject — just mark as spam.”
(optional) +all
Allow All
Means “anyone can send” → ❌ Never use this (dangerous).
In simple terms:Only Microsoft servers can send emails for me. Block all others.
DKIM Record (TXT Record Type)
selector1._domainkey.example.com v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8...
Breakdown of Each Value:
selector1
Selector
A label that identifies which DKIM key is used. (Allows rotation — like key1, key2.)
_domainkey
Subdomain
Always present — tells mail servers this record is for DKIM.
v=DKIM1
Version
Says “this is a DKIM record.”
k=rsa
Key Type
Type of encryption key used (RSA is standard).
p=...
Public Key
The “public” part of your domain’s digital signature — used by receivers to verify the email wasn’t changed.
In simple terms: Here’s my public key. If the email’s signature matches this key, it’s really from me.
DMARC Record (TXT Record Type)
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-fails@example.com; pct=100; aspf=s; adkim=s
Breakdown of Each Value:
v=DMARC1
Version
Says “this is a DMARC record.”
p=reject
Policy
What to do with failed emails: none = just monitor quarantine = send to spam reject = block
rua=mailto:...
Aggregate Report
Email address to receive summary reports (who is sending from your domain).
ruf=mailto:...
Forensic Report
Email address for detailed failure reports (optional).
pct=100
Percentage
Apply policy to X% of messages (100 = all emails).
aspf=s
SPF Alignment
s = strict (must exactly match domain) r = relaxed (subdomain allowed).
adkim=s
DKIM Alignment
Same idea as aspf — strict or relaxed.
(optional) sp=reject
Subdomain Policy
Policy for subdomains (can differ from main domain).
In simple terms: If an email fails SPF and DKIM checks, reject it. Send me reports about who’s using my domain.
MX Record (Mail Exchange Record)
An MX record is a type of DNS record that tells the internet where to deliver emails for your domain. Think of it as the “mailroom address” for your domain.
Domain Name
example.com
The domain that receives email.
Mail Server / Target
mail.protection.outlook.com
The server responsible for receiving email.
Priority
0 or 10
Lower numbers are preferred — servers with lower priority handle mail first.
BIMI Record
v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/cert.pem
v=BIMI1
Version
Says “this is a BIMI record.”
l=...
Logo
Link to your brand’s official logo (SVG format).
a=...
Verified Mark Certificate
Confirms the logo is officially yours (like a trademark check).
In simple terms: This is my verified logo — show it next to my emails.
In short:
Always needed for email security:
MX – to receive emails
SPF – to authorize sending servers
DKIM – to verify message integrity
DMARC – to control spoofing & get reports
Optional:
BIMI – to show brand logo
PTR – for reverse DNS validation
📬 Mail Delivery
MX
@
example-com.mail.protection.outlook.com
✅ Yes
🧾 Sender Authorization
TXT (SPF)
@
v=spf1 include:spf.protection.outlook.com -all
✅ Yes
🔐 Email Signature Verification
TXT (DKIM)
selector1._domainkey
v=DKIM1; k=rsa; p=MIIBIj...
✅ Yes
🛡️ Spoofing Protection + Reports
TXT (DMARC)
_dmarc
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100; aspf=s; adkim=s
✅ Yes
🏢 Brand Logo (Optional)
TXT (BIMI)
default._bimi
v=BIMI1; l=https://yourlogo.svg; a=https://cert.pem
🟡 Optional
🔁 Reverse Lookup (Optional)
PTR
(set by ISP)
Links IP → domain
🟡 Optional
Pro Tip: In production, these records are set in your DNS provider (e.g. Cloudflare, Route 53, GoDaddy) — not your email client. Once they’re live, mail servers worldwide use them automatically to verify and secure your domain.
Final & Complete DNS Record List
Website & Basic Domain Setup
These make your domain work on the internet.
A
example.com → 192.0.2.1
Points domain to an IPv4 address (web server)
✅ Yes
AAAA
example.com → 2001:db8::1
Points domain to an IPv6 address
✅ Yes (if using IPv6)
CNAME
www → example.com
Creates an alias (used for “www”, “api”, etc.)
✅ Common
NS
example.com → ns1.cloudflare.com
Defines which DNS servers control your domain
✅ Always
SOA
(auto-created)
Defines zone authority info (admin email, refresh timers)
✅ Always
Email Delivery & Authentication
These control how mail is delivered and protected.
MX
example.com → mail.protection.outlook.com
Mail delivery (routes emails)
✅ Yes
TXT (SPF)
v=spf1 include:spf.protection.outlook.com -all
Authorizes servers that can send mail
✅ Yes
TXT (DKIM)
selector1._domainkey → v=DKIM1; p=...
Signs emails cryptographically
✅ Yes
TXT (DMARC)
_dmarc → v=DMARC1; p=reject; rua=...
Defines what to do if SPF/DKIM fail
✅ Yes
PTR
192.0.2.1 → example.com
Reverse DNS (helps spam checks)
🟡 Recommended for mail servers
Security & Verification Records
These protect your domain and validate ownership.
CAA
0 issue "letsencrypt.org"
Restricts who can issue SSL/TLS certificates
🟡 Recommended
TXT (Verification)
google-site-verification=abcd123
Prove domain ownership to Google, Microsoft, AWS, etc.
✅ Common
DNSSEC (DS, DNSKEY, RRSIG, NSEC)
Cryptographic keys/signatures
Protects DNS from tampering
🟡 Optional but strong security
TLSA
_443._tcp.example.com
Used with DANE for certificate binding
🔹 Rare
SSHFP
example.com → SSH fingerprint
Verifies SSH host authenticity
🔹 Rare
CERT
Stores X.509/PGP certs
Publishes digital certificates
🔹 Rare
Service & Infrastructure Records
These define where specific services live.
SRV
_sip._tcp.example.com → sipserver.example.com
Defines service ports and hosts (VoIP, Teams, etc.)
🟡 Common in enterprise
NAPTR
Used with SRV for SIP/ENUM
Advanced telecom routing
🔹 Rare
LOC
51.5072N 0.1276W
Physical location (optional)
🔹 Rare
URI
_service._proto.example.com
Defines URLs for a service
🔹 Experimental
HINFO
"Intel i7" "Linux"
System info (discouraged – leaks data)
❌ Rare/legacy
SPF (legacy)
v=spf1 include:_spf.google.com -all
Old record type for SPF (deprecated)
❌ Don’t use
Final Tips
Always set MX, SPF, DKIM, and DMARC for professional email security.
Use CAA to prevent unauthorized SSL certificate issuance.
Keep DNSSEC on for high-security domains.
Optional: BIMI adds trust for marketing emails.
Review records regularly to avoid misconfigurations.
Last updated