Understanding Your DNS Records
What DNS records SiteWatch monitors, why changes matter, and how to set up SPF and DMARC.
What SiteWatch checks
SiteWatch queries your domain's DNS records and monitors for changes. It checks:
- A / AAAA records: IPv4 and IPv6 addresses your domain points to
- CNAME records: Aliases pointing to another domain
- MX records: Mail servers handling your email
- NS records: Name servers authoritative for your domain
- TXT records: Verification entries, SPF, DKIM, etc.
- SPF record: Email authentication to prevent spoofing
- DMARC record: Email policy that tells receivers what to do with unauthenticated mail
- MX connectivity: Can the mail server be reached on port 25?
SiteWatch takes a snapshot of your records and alerts you when anything changes.
How to read your results
- OK (green): No changes since last check, SPF and DMARC present.
- Warning (amber): DNS records changed, or SPF/DMARC is missing.
A DNS change isn't always a problem — you may have intentionally updated records. But unauthorized changes can mean your domain was hijacked or your DNS provider was compromised.
Common issues and fixes
DNS records changed
SiteWatch shows which record types changed, with added and removed values. Review the changes:
- Expected change? You updated your hosting, added a CDN, or changed email provider. No action needed — the next check will use the new records as baseline.
- Unexpected change? Investigate immediately. Log in to your DNS provider and verify. Unauthorized NS or A record changes could mean your domain has been hijacked.
No SPF record found
SPF (Sender Policy Framework) tells email receivers which servers are allowed to send email for your domain. Without it, anyone can forge emails from your domain.
Add an SPF record:
Create a TXT record on your domain:
Type: TXT
Name: @ (or your domain)
Value: v=spf1 include:_spf.google.com ~all
Adjust the include: for your email provider:
- Google Workspace: include:_spf.google.com
- Microsoft 365: include:spf.protection.outlook.com
- OVH: include:mx.ovh.com
- Mailgun: include:mailgun.org
If you use multiple providers, combine them:
v=spf1 include:_spf.google.com include:mailgun.org ~all
Important: You can only have ONE SPF record per domain. Multiple SPF records will break email delivery.
No DMARC record found
DMARC builds on SPF and DKIM to tell receivers what to do when authentication fails. Without it, your SPF record is advisory only.
Add a DMARC record:
Create a TXT record on _dmarc.yourdomain.com:
Type: TXT
Name: _dmarc
Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
The p= policy options:
- none: Monitor only (start here)
- quarantine: Send failures to spam
- reject: Block failures entirely (strictest)
Tip: Start with
p=noneand monitor the reports for a few weeks before switching toquarantineorreject.
MX not reachable
SiteWatch tries to connect to your primary mail server on port 25. If it fails:
- The mail server may be down
- Port 25 may be blocked by a firewall
- The MX record points to a hostname that doesn't resolve
Check with your email provider or hosting company.
Understanding record types
| Record | Purpose | Example |
|---|---|---|
| A | Maps domain to IPv4 address | 93.184.216.34 |
| AAAA | Maps domain to IPv6 address | 2606:2800:220:1:248:1893:25c8:1946 |
| CNAME | Alias to another domain | www → example.com |
| MX | Mail server with priority | 10 mail.example.com |
| NS | Authoritative name servers | ns1.provider.com |
| TXT | Arbitrary text (SPF, verification) | v=spf1 include:... |