Skip to main content
For most people, a single A record is enough to point a domain at a site (see Connecting). This page is for when you’re setting up email, subdomains, or special records. DNS records are edited in the bot: My Domains → domain → DNS settings. There you can add and delete records of types A, CNAME, AAAA, MX, TXT, SRV.

Record types

TypeWhat it’s forCommon mistake
Aname → IPv4IPv6 in an A field; spaces
AAAAname → IPv6
CNAMEalias to another nameIP instead of a name; CNAME on the root; CNAME alongside A/MX/TXT
MXmail serversno priority; IP instead of a name
TXTSPF, DKIM, DMARC, verificationsstray quotes; two SPF records
SRVhost + service portforgotten _; IP instead of a name
A CNAME on the domain root is forbidden by the standard. Workarounds: CNAME flattening in Cloudflare (you add a CNAME on the root and it automatically becomes an A), ALIAS/ANAME, a direct A record, or an HTTP redirect from the root to www.

Record name: root and subdomain

  • Root (example.com) — the name field is @ or empty.
  • Subdomain (blog.example.com) — you write only blog. Common mistake: entering the full blog.example.com → the record becomes blog.example.com.example.com and doesn’t work.

Proxying: orange cloud vs grey

Lumi domains run on Cloudflare, so every A/AAAA/CNAME record has a proxy toggle.
  • Proxied (orange cloud) — traffic goes through Cloudflare: your real IP is hidden, and SSL, caching, and DDoS protection are on. Use this for websites.
  • DNS only (grey cloud) — Cloudflare just hands out your IP without touching the traffic. Needed for records that can’t be proxied: email (MX and the host it points to), FTP, SSH, game servers, any non-HTTP/HTTPS service.
An MX record is never proxied. If your email points to an A record on your domain (e.g. mail.example.com), switch that A record to DNS only, or mail won’t be delivered.

TTL and propagation

TTL is how long a record is cached, in seconds. The standard is 3600, 300 for migrations, 86400 for stable records. Before changing an IP or MX, drop the TTL to 300 24–48 hours ahead — then the new value spreads in minutes.
For proxied (orange) records, Cloudflare sets the TTL to Auto and ignores any manual value — your real IP is hidden behind its addresses anyway. TTL controls propagation only for grey records.
Check it worldwide: whatsmydns.net, dnschecker.org. From the console: dig example.com A, dig @1.1.1.1 example.com A (bypassing the local cache).

Email: SPF, DKIM, DMARC

A TXT record on the root: v=spf1 <mechanisms> ~all. Only one record with v=spf1 is allowed on a domain (otherwise permerror); multiple services are combined via include:. The limit is no more than 10 DNS lookups.
A digital signature for emails. Your mail service issues a “selector” and a TXT string (v=DKIM1; k=rsa; p=...). Record name: <selector>._domainkey.
A TXT record on _dmarc: v=DMARC1; p=none; rua=mailto:[email protected]. Tighten it in stages: p=none (at least a month) → quarantinereject. Don’t set p=reject right away — you risk blocking your own email.
IP → name, lives with the owner of the IP block and can’t be set through a domain’s DNS records. For email on your domain, use a mail service (see Email) — reverse records are already configured there.
Moving to a different DNS provider? Turn off DNSSEC first, wait out the TTL, and only then change the NS — otherwise the domain will stop opening. More in Connecting to a site.

Record not working?

A diagnostic checklist for DNS and takedowns.