Record types
| Type | What it’s for | Common mistake |
|---|---|---|
| A | name → IPv4 | IPv6 in an A field; spaces |
| AAAA | name → IPv6 | — |
| CNAME | alias to another name | IP instead of a name; CNAME on the root; CNAME alongside A/MX/TXT |
| MX | mail servers | no priority; IP instead of a name |
| TXT | SPF, DKIM, DMARC, verifications | stray quotes; two SPF records |
| SRV | host + service port | forgotten _; IP instead of a name |
Record name: root and subdomain
- Root (
example.com) — the name field is@or empty. - Subdomain (
blog.example.com) — you write onlyblog. Common mistake: entering the fullblog.example.com→ the record becomesblog.example.com.example.comand doesn’t work.
Proxying: orange cloud vs grey
Lumi domains run on Cloudflare, so every A/AAAA/CNAME record has a proxy toggle.- Proxied (orange cloud) — traffic goes through Cloudflare: your real IP is hidden, and SSL, caching, and DDoS protection are on. Use this for websites.
- DNS only (grey cloud) — Cloudflare just hands out your IP without touching the traffic. Needed for records that can’t be proxied: email (MX and the host it points to), FTP, SSH, game servers, any non-HTTP/HTTPS service.
An MX record is never proxied. If your email points to an A record on your domain (e.g.
mail.example.com), switch that A record to DNS only, or mail won’t be delivered.TTL and propagation
TTL is how long a record is cached, in seconds. The standard is3600, 300 for migrations, 86400 for stable records. Before changing an IP or MX, drop the TTL to 300 24–48 hours ahead — then the new value spreads in minutes.
For proxied (orange) records, Cloudflare sets the TTL to
Auto and ignores any manual value — your real IP is hidden behind its addresses anyway. TTL controls propagation only for grey records.dig example.com A, dig @1.1.1.1 example.com A (bypassing the local cache).
Email: SPF, DKIM, DMARC
SPF
SPF
A TXT record on the root:
v=spf1 <mechanisms> ~all. Only one record with v=spf1 is allowed on a domain (otherwise permerror); multiple services are combined via include:. The limit is no more than 10 DNS lookups.DKIM
DKIM
A digital signature for emails. Your mail service issues a “selector” and a TXT string (
v=DKIM1; k=rsa; p=...). Record name: <selector>._domainkey.DMARC
DMARC
A TXT record on
_dmarc: v=DMARC1; p=none; rua=mailto:[email protected]. Tighten it in stages: p=none (at least a month) → quarantine → reject. Don’t set p=reject right away — you risk blocking your own email.PTR (reverse record)
PTR (reverse record)
IP → name, lives with the owner of the IP block and can’t be set through a domain’s DNS records. For email on your domain, use a mail service (see Email) — reverse records are already configured there.
Record not working?
A diagnostic checklist for DNS and takedowns.