> ## Documentation Index
> Fetch the complete documentation index at: https://wiki.lumiweb.cc/llms.txt
> Use this file to discover all available pages before exploring further.

# DNS records

> Record types, proxying, TTL, SPF/DKIM/DMARC

For most people, a single A record is enough to point a domain at a site (see [Connecting](/en/domains/connect)). This page is for when you're setting up email, subdomains, or special records.

DNS records are edited in the bot: **My Domains** → domain → **DNS settings**. There you can add and delete records of types **A, CNAME, AAAA, MX, TXT, SRV**.

## Record types

| Type      | What it's for                   | Common mistake                                                    |
| --------- | ------------------------------- | ----------------------------------------------------------------- |
| **A**     | name → IPv4                     | IPv6 in an A field; spaces                                        |
| **AAAA**  | name → IPv6                     | —                                                                 |
| **CNAME** | alias to another name           | IP instead of a name; CNAME on the root; CNAME alongside A/MX/TXT |
| **MX**    | mail servers                    | no priority; IP instead of a name                                 |
| **TXT**   | SPF, DKIM, DMARC, verifications | stray quotes; two SPF records                                     |
| **SRV**   | host + service port             | forgotten `_`; IP instead of a name                               |

<Warning>
  **A CNAME on the domain root is forbidden by the standard.** Workarounds: CNAME flattening in Cloudflare (you add a CNAME on the root and it automatically becomes an A), ALIAS/ANAME, a direct A record, or an HTTP redirect from the root to `www`.
</Warning>

## Record name: root and subdomain

* **Root** (`example.com`) — the name field is `@` or empty.
* **Subdomain** (`blog.example.com`) — you write only `blog`. **Common mistake: entering the full `blog.example.com` → the record becomes `blog.example.com.example.com` and doesn't work.**

## Proxying: orange cloud vs grey

Lumi domains run on Cloudflare, so every A/AAAA/CNAME record has a proxy toggle.

* **Proxied (orange cloud)** — traffic goes through Cloudflare: your real IP is hidden, and SSL, caching, and DDoS protection are on. Use this for websites.
* **DNS only (grey cloud)** — Cloudflare just hands out your IP without touching the traffic. Needed for records that can't be proxied: email (MX and the host it points to), FTP, SSH, game servers, any non-HTTP/HTTPS service.

<Note>
  An MX record is never proxied. If your email points to an A record on your domain (e.g. `mail.example.com`), switch **that** A record to **DNS only**, or mail won't be delivered.
</Note>

## TTL and propagation

TTL is how long a record is cached, in seconds. The standard is `3600`, `300` for migrations, `86400` for stable records. Before changing an IP or MX, drop the TTL to `300` 24–48 hours ahead — then the new value spreads in minutes.

<Note>
  For proxied (orange) records, Cloudflare sets the TTL to `Auto` and ignores any manual value — your real IP is hidden behind its addresses anyway. TTL controls propagation only for grey records.
</Note>

Check it worldwide: [whatsmydns.net](https://www.whatsmydns.net/), [dnschecker.org](https://dnschecker.org/). From the console: `dig example.com A`, `dig @1.1.1.1 example.com A` (bypassing the local cache).

## Email: SPF, DKIM, DMARC

<AccordionGroup>
  <Accordion title="SPF" icon="signature">
    A TXT record on the root: `v=spf1 <mechanisms> ~all`. Only **one** record with `v=spf1` is allowed on a domain (otherwise `permerror`); multiple services are combined via `include:`. The limit is no more than 10 DNS lookups.
  </Accordion>

  <Accordion title="DKIM" icon="key">
    A digital signature for emails. Your mail service issues a "selector" and a TXT string (`v=DKIM1; k=rsa; p=...`). Record name: `<selector>._domainkey`.
  </Accordion>

  <Accordion title="DMARC" icon="shield-halved">
    A TXT record on `_dmarc`: `v=DMARC1; p=none; rua=mailto:postmaster@example.com`. Tighten it in stages: `p=none` (at least a month) → `quarantine` → `reject`. **Don't set `p=reject` right away** — you risk blocking your own email.
  </Accordion>

  <Accordion title="PTR (reverse record)" icon="arrows-rotate">
    IP → name, lives with the owner of the IP block and can't be set through a domain's DNS records. For email on your domain, use a mail service (see [Email](/en/domains/email)) — reverse records are already configured there.
  </Accordion>
</AccordionGroup>

Moving to a different DNS provider? Turn off DNSSEC first, wait out the TTL, and only then change the NS — otherwise the domain will stop opening. More in [Connecting to a site](/en/domains/connect).

<Card title="Record not working?" icon="triangle-exclamation" href="/en/domains/troubleshooting">
  A diagnostic checklist for DNS and takedowns.
</Card>
