# Domains, Email, and Security ### Understanding Domian and Sub-Domain Domain (Main Address) A domain is like the *main address* of your house on the internet. * Example: example.com * It’s what people type in the browser to visit your website. Think of it like: * Street name + house number = domain * It uniquely identifies your website. Subdomain (Extra Room/Section of the House) A subdomain is like an *extra section or room* of your house that still belongs to the same main address. * Example: blog.example.com or shop.example.com * It helps separate parts of your website into different areas. Think of it like: * example.com = your whole house * blog.example.com = a special room just for your blog * shop.example.com = another room just for your shop Domain and Email * Your domain (example.com) is not just for websites — it’s also used for email addresses. * Example: * Website: example.com * Email: So when you send an email, the world sees your domain in the sender address. Subdomain and Email * Sometimes companies use subdomains for email traffic. * Example: news.example.com or mail.example.com * Why? To separate marketing emails, newsletters, or transactional emails from the main domain so spam problems don’t affect the main one. ### DNS Records DNS records are like the “instruction manual” for your domain. They tell the internet: 1. Where to send visitors (web server) 2. Where to deliver emails 3. How to check if an email is legitimate 4. Which servers are in charge of your domain Think of them as the blueprints of your digital house. ### DNS Records for Your Website A Record (Address Record) * Purpose: Points your domain name to an IP address (IPv4). * Example: example.com → 192.0.2.1 * Think of it like saying:\ “If someone visits example.com, send them to the server at this address.” AAAA Record (Quad A Record) * Purpose: Same as A record, but for IPv6 addresses. * Example: example.com → 2001:db8::1 CNAME Record (Canonical Name Record) * Purpose: Points one domain or subdomain to another domain name. * Example: [www.example.com](http://www.example.com) → example.com * Think of it like an alias or nickname. * “If someone visits [www.example.com](http://www.example.com), just use example.com instead. MX Record (Mail Exchange Record) * Purpose: Tells where to deliver emails for your domain. * Example: example.com → mail.protection.outlook.com * Think of it like a postal address for your email. TXT Record (Text Record) * Purpose: Stores text data — often used for email security (SPF, DKIM, DMARC) and verification. * Example: "v=spf1 include:spf.protection.outlook.com -all" * Think of it like a note on your domain that helps verify ownership or set rules. NS Record (Name Server Record) * Purpose: Points to the servers that control your DNS records. * Example: example.com → ns1.cloudflare.com, ns2.cloudflare.com * Think of it like: “These are the servers in charge of managing my domain’s instructions.” PTR Record (Pointer Record) * Purpose: Reverse of the A record — links an IP address back to a domain. * Used for email reputation and reverse DNS checks. * Helps prevent spam. SRV Record (Service Record) * Purpose: Defines servers for specific services (like SIP, XMPP, or Microsoft services). * Example: \_sip.\_tcp.example.com → sipserver.example.com SOA Record (Start of Authority) * Purpose: Contains basic info about your domain’s DNS — who manages it, when it was last updated, etc. * Example: ns1.example.com admin.example.com 2025100601 3600 1800 1209600 86400 Email Security Uses These Records: | Purpose | Record Type | Example | | ------------------ | --------------- | -------------------------------------------------- | | Authorize senders | **TXT (SPF)** | `"v=spf1 include:spf.protection.outlook.com -all"` | | Sign emails | **TXT (DKIM)** | `"v=DKIM1; k=rsa; p=..."` | | Policy + reporting | **TXT (DMARC)** | `"v=DMARC1; p=reject; rua=mailto:dmarc@..."` | | Email server | **MX** | `"mail.protection.outlook.com"` | Why you need these: Without them, browsers wouldn’t know where to find your website. In short: * A / AAAA → point to servers * CNAME → alias/nickname * MX → email routing * TXT → security & verification (SPF, DKIM, DMARC) * NS → who controls DNS * PTR → reverse lookup * SRV / SOA → special services & metadata ### Going deeper into the values inside each DNS record that’s used for email security (SPF, DKIM, and DMARC) #### SPF Record (TXT Record Type) v=spf1 include:spf.protection.outlook.com -all Breakdown of Each Value: | Part | Meaning | Simple Explanation | | -------------------------------------- | ------------ | --------------------------------------------------------------------------------- | | **v=spf1** | Version | Says “this is an SPF record.” Always starts like this. | | **include:spf.protection.outlook.com** | Include Rule | Means “allow Microsoft (Outlook/Office 365) servers to send email for my domain.” | | **-all** | Policy | Means “emails from any other server should be rejected.” | | *(optional)* **\~all** | SoftFail | Means “suspicious, but don’t reject — just mark as spam.” | | *(optional)* **+all** | Allow All | Means “anyone can send” → ❌ **Never use this** (dangerous). | ``` Real Example (Microsoft 365) Type: TXT Name: @ Value: v=spf1 include:spf.protection.outlook.com -all Real Example (Google Workspace) Type: TXT Name: @ Value: v=spf1 include:_spf.google.com -all Used by: Office 365, Gmail, SendGrid, Mailchimp, AWS SES, etc. Almost every domain uses SPF. ``` In simple terms:Only Microsoft servers can send emails for me. Block all others. #### DKIM Record (TXT Record Type) selector1.\_domainkey.example.com\ v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8... Breakdown of Each Value: | Part | Meaning | Simple Explanation | | --------------- | ---------- | ------------------------------------------------------------------------------------------------------------ | | **selector1** | Selector | A label that identifies which DKIM key is used. (Allows rotation — like key1, key2.) | | **\_domainkey** | Subdomain | Always present — tells mail servers this record is for DKIM. | | **v=DKIM1** | Version | Says “this is a DKIM record.” | | **k=rsa** | Key Type | Type of encryption key used (RSA is standard). | | **p=...** | Public Key | The “public” part of your domain’s digital signature — used by receivers to verify the email wasn’t changed. | ``` Real Example (Microsoft 365) Type: TXT Name: selector1._domainkey.example.com Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4... Real Example (Google Workspace) Type: TXT Name: google._domainkey.example.com Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A... Used by: Every secure email system — this is what actually verifies the authenticity of your messages. ``` In simple terms: Here’s my public key. If the email’s signature matches this key, it’s really from me. #### DMARC Record (TXT Record Type) v=DMARC1; p=reject; rua=mailto:; ruf=mailto:; pct=100; aspf=s; adkim=s Breakdown of Each Value: | Part | Meaning | Simple Explanation | | -------------------------- | ---------------- | ------------------------------------------------------------------------------------------------- | | **v=DMARC1** | Version | Says “this is a DMARC record.” | | **p=reject** | Policy | What to do with failed emails: `none` = just monitor `quarantine` = send to spam `reject` = block | | **rua=mailto:...** | Aggregate Report | Email address to receive summary reports (who is sending from your domain). | | **ruf=mailto:...** | Forensic Report | Email address for detailed failure reports (optional). | | **pct=100** | Percentage | Apply policy to X% of messages (100 = all emails). | | **aspf=s** | SPF Alignment | `s` = strict (must exactly match domain) `r` = relaxed (subdomain allowed). | | **adkim=s** | DKIM Alignment | Same idea as aspf — strict or relaxed. | | *(optional)* **sp=reject** | Subdomain Policy | Policy for subdomains (can differ from main domain). | ``` Real Example (Strong Policy) Type: TXT Name: _dmarc Value: v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; pct=100; aspf=s; adkim=s Real Example (Monitoring Only) Type: TXT Name: _dmarc Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com Used by: Every professional domain — it stops spoofing and gives visibility into who’s trying to impersonate you. ``` In simple terms: If an email fails SPF and DKIM checks, reject it. Send me reports about who’s using my domain. #### MX Record (Mail Exchange Record) An MX record is a type of DNS record that tells the internet where to deliver emails for your domain.\ Think of it as the “mailroom address” for your domain. | Component | Example | Meaning | | ------------------------ | ----------------------------- | ---------------------------------------------------------------------------- | | **Domain Name** | `example.com` | The domain that receives email. | | **Mail Server / Target** | `mail.protection.outlook.com` | The server responsible for receiving email. | | **Priority** | `0` or `10` | Lower numbers are preferred — servers with lower priority handle mail first. | ``` Microsoft 365 Example: Type: MX Name: @ Value: example-com.mail.protection.outlook.com Priority: 0 Google Workspace Example: Type: MX Name: @ Value: ASPMX.L.GOOGLE.COM Priority: 1 Used by: Everyone — you can’t receive emails without MX records. ``` #### BIMI Record v=BIMI1; l=; a= | Part | Meaning | Simple Explanation | | ----------- | ------------------------- | --------------------------------------------------------------- | | **v=BIMI1** | Version | Says “this is a BIMI record.” | | **l=...** | Logo | Link to your brand’s official logo (SVG format). | | **a=...** | Verified Mark Certificate | Confirms the logo is officially yours (like a trademark check). | | | | | In simple terms: This is my verified logo — show it next to my emails. In short: Always needed for email security: * MX – to receive emails * SPF – to authorize sending servers * DKIM – to verify message integrity * DMARC – to control spoofing & get reports Optional: * BIMI – to show brand logo * PTR – for reverse DNS validation | Purpose | Record Type | Example Name | Example Value | Required? | | ------------------------------------- | --------------- | ---------------------- | ------------------------------------------------------------------------------- | ----------- | | 📬 **Mail Delivery** | **MX** | `@` | `example-com.mail.protection.outlook.com` | ✅ Yes | | 🧾 **Sender Authorization** | **TXT (SPF)** | `@` | `v=spf1 include:spf.protection.outlook.com -all` | ✅ Yes | | 🔐 **Email Signature Verification** | **TXT (DKIM)** | `selector1._domainkey` | `v=DKIM1; k=rsa; p=MIIBIj...` | ✅ Yes | | 🛡️ **Spoofing Protection + Reports** | **TXT (DMARC)** | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100; aspf=s; adkim=s` | ✅ Yes | | 🏢 **Brand Logo (Optional)** | **TXT (BIMI)** | `default._bimi` | `v=BIMI1; l=https://yourlogo.svg; a=https://cert.pem` | 🟡 Optional | | 🔁 **Reverse Lookup (Optional)** | **PTR** | (set by ISP) | Links IP → domain | 🟡 Optional | Pro Tip: In production, these records are set in your DNS provider (e.g. Cloudflare, Route 53, GoDaddy) — not your email client. Once they’re live, mail servers worldwide use them automatically to verify and secure your domain. ### Final & Complete DNS Record List Website & Basic Domain Setup These make your domain work on the internet. | Record | Example | Purpose | Required? | | --------- | -------------------------------- | --------------------------------------------------------- | --------------------- | | **A** | example.com → 192.0.2.1 | Points domain to an IPv4 address (web server) | ✅ Yes | | **AAAA** | example.com → 2001:db8::1 | Points domain to an IPv6 address | ✅ Yes (if using IPv6) | | **CNAME** | www → example.com | Creates an alias (used for “www”, “api”, etc.) | ✅ Common | | **NS** | example.com → ns1.cloudflare.com | Defines which DNS servers control your domain | ✅ Always | | **SOA** | (auto-created) | Defines zone authority info (admin email, refresh timers) | ✅ Always | Email Delivery & Authentication These control how mail is delivered and protected. | Record | Example | Purpose | Required? | | --------------- | ----------------------------------------------------------------- | ------------------------------------- | ------------------------------- | | **MX** | example.com → mail.protection.outlook.com | Mail delivery (routes emails) | ✅ Yes | | **TXT (SPF)** | v=spf1 include:spf.protection.outlook.com -all | Authorizes servers that can send mail | ✅ Yes | | **TXT (DKIM)** | selector1.\_domainkey → v=DKIM1; p=... | Signs emails cryptographically | ✅ Yes | | **TXT (DMARC)** | \_dmarc → v=DMARC1; p=reject; rua=... | Defines what to do if SPF/DKIM fail | ✅ Yes | | **TXT (BIMI)** | default.\_bimi → v=BIMI1; l=[https://logo.svg](https://logo.svg/) | Shows brand logo in inbox | 🟡 Optional | | **PTR** | 192.0.2.1 → example.com | Reverse DNS (helps spam checks) | 🟡 Recommended for mail servers | Security & Verification Records These protect your domain and validate ownership. | Record | Example | Purpose | Required? | | ------------------------------------ | -------------------------------- | ------------------------------------------------------ | ------------------------------- | | **CAA** | 0 issue "letsencrypt.org" | Restricts who can issue SSL/TLS certificates | 🟡 Recommended | | **TXT (Verification)** | google-site-verification=abcd123 | Prove domain ownership to Google, Microsoft, AWS, etc. | ✅ Common | | **DNSSEC (DS, DNSKEY, RRSIG, NSEC)** | Cryptographic keys/signatures | Protects DNS from tampering | 🟡 Optional but strong security | | **TLSA** | \_443.\_tcp.example.com | Used with DANE for certificate binding | 🔹 Rare | | **SSHFP** | example.com → SSH fingerprint | Verifies SSH host authenticity | 🔹 Rare | | **CERT** | Stores X.509/PGP certs | Publishes digital certificates | 🔹 Rare | Service & Infrastructure Records These define where specific services live. | Record | Example | Purpose | Required? | | ---------------- | ----------------------------------------------- | --------------------------------------------------- | ------------------------- | | **SRV** | \_sip.\_tcp.example.com → sipserver.example.com | Defines service ports and hosts (VoIP, Teams, etc.) | 🟡 Common in enterprise | | **NAPTR** | Used with SRV for SIP/ENUM | Advanced telecom routing | 🔹 Rare | | **LOC** | 51.5072N 0.1276W | Physical location (optional) | 🔹 Rare | | **URI** | \_service.\_proto.example.com | Defines URLs for a service | 🔹 Experimental | | **HINFO** | "Intel i7" "Linux" | System info (discouraged – leaks data) | ❌ Rare/legacy | | **SPF (legacy)** | v=spf1 include:\_spf.google.com -all | Old record type for SPF (deprecated) |

❌ Don’t use

| ### **Final Tips** 1. Always set MX, SPF, DKIM, and DMARC for professional email security. 2. Use CAA to prevent unauthorized SSL certificate issuance. 3. Keep DNSSEC on for high-security domains. 4. Optional: BIMI adds trust for marketing emails. 5. Review records regularly to avoid misconfigurations.