SecurityTrails Blog · Aug 20 2018 · by SecurityTrails team

DNS records and types you didn’t know about

Reading time: 7 minutes

DNS records are an important part of internet. It is from DNS records that DNS servers know which domain is associated with what IP address. To simplify, we can turn to an analogy: your home address has coordinates that helps locate them in GPS. Since nobody can really remember that string of number precisely, you would tell them your street name and number. The same concept exists with domains and IP addresses, domains being street names and numbers, IP addresses being longitude points.

Most people are familiar with the standard DNS records and record types, such as A record, CNAME, MX and TXT records. They are the most famous DNS records that perform actions that have the most everyday use for people.

But, going past the A and CNAME records, we come across an amazingly large list of DNS records and record types you have possibly never even heard of!

We would love to go through the entire list and show you what kind of functions different DNS records have to offer, but because there's so many, we have decided to compile a list of the most interesting and uncommon DNS records and record types whose functions will leave you wondering how you did not use them earlier.

DNS Records


DMARC record, or Domain-based Message Authentication, Reporting and Conformance, is an email validation system that helps you stop email spoofing. It detects and protects you from techniques that are used by those who participate in email phishing.

One of the main ways of email phishing are email that have fake sender addresses, that can appear like they are from legitimate companies and organizations.

So, how does DMARC work?

Sender of the email is authenticated with DKIM and/or SPF. When the receiver receives your email, it can be verified whether you are actually the originator of the email.

Receiver of the email will be able to see when none of the authentications are present, and can automatically be protected from spoofed emails by way of rejection or direct sending of illegitimate emails into the spam folder.

DMARC records are published in DNS. Subdomain label of DMARC is _dmarc.

DMARC is aimed at helping people to stop or reduce phishing, provide authentication platform, stop or reduce false positives, and to be scalable.


SPF, or Sender Privacy Framework, is not only an email validator but also a protocol, designed to detect and block email spoofing – like DMARC.

SPF will provide you with a mechanism of defense: when there's an incoming email, the IP address it was sent from will be verified against that domain's DNS records' list of authorized IP addresses.

Spammers and email phishers are less likely to use a domain that has published its SPF record, because it is most likely those emails will end up in the spam folder.

Also, if an email is SPF protected, it is less likely to be sent to spam folder when sending. This makes it a great option for all companies and organizations to ensure their important emails end up in the right place.

How does SPF work?

There are a couple of mechanisms for defining which IP addresses are allowed to send email from a given domain. Those mechanisms are:

  • a
  • mx
  • ip4
  • ip6
  • exists

When an email is sent, email server compares the IP address from which the email is sent to the IP addresses defined by these mechanisms.


BIMI – Brand Indicators for Message Identification are, just as the name suggests, mechanisms of 'branding' for your emails. This gives the receivers a way to ensure that you are the authentic email sender, and that it is not fraudulent. It has been the industry's favorite way of not only indicating to people that the email is legitimate, but also as a way of marketing; including your logo on emails will put you in front of your consumers and will stay in their minds much longer than a regular email.

It is important to note that BIMI does not include encryption as a part of their mechanisms.

It is very easy to integrate into your system since it does not require new infrastructure from your side.

How does BIMI work?

Brand Indicators for Message Identification is built on the DMARC.

A brand will first need to obtain BIMI certificate.

Owners of a specific domain will need to add BIMI to their DNS records including the URL where the logo file is located.

It is an amazing form of a marketing strategy that builds trust between the organization or company and their customers, puts the logo in a visible place so it will not only prove to the email recipients that it is originally from said company, but will also make the brand logo more recognizable.

DNS Record Types


SSHFP, or Secure Shell Fingerprint record is a type of a DNS record that helps identify SSH keys. They contain fingerprints for public keys that are used for SSH.

SSHFP is most often used with DNSSEC enabled domains. When connecting to a server, the SSH client checks the records fingerprint, and if it matches the servers, it will mark it as safe to connect.

SSHFP record consists of an algorithm, fingerprint type and the fingerprint.

Generating SSHFP records can be done by using ssh-keygen, using -r parameter, and then following that with hostname.


Hip is Host Identity Protocol. It is a type of host identification, and it is used on IP networks.

IP addresses and DNS are separated with HIP.

So, this type of a record uses the Host Identity Protocol and with it, it separates the roles of an IP Address.

When you implement the HIP, everything that happens with IP addresses is taken away and replaced with cryptographic host identifiers.

Host Identity Protocol provides IPsec encryption, and with that it helps with mobility and multihoming.

HIP record is used the most often in mobile computing.


It was possible, when a client sends a question to a DNS server, that a server was able to examine that question using authentication of the source IP address. It is obvious that this was not the best way to go about that question-answer model DNS has.

TSIG, or Transaction Signature, is a mechanism or a computer-networking protocol that is used to authenticate and secure DNS messages and the server – server communication.

It is also an extension to the DNS protocol: with shared secret keys and one-way hashing it provides a cryptographic signature to DNS packets.

The secure exchange of the DNS packets is ensured with the TSIG key, the client and server must both know that key.

TSIG is made out of the secret, a key name, and a signing algorithm.

A thing to note is also what kind transaction does TSIG protect between two DNS servers. It protects zone transfer (it is mostly used in these types of transactions), dynamic updates, notify, recursive query messages, etc.

Final Thoughts

With this overview of some of the uncommon and unusual DNS records and record types, we hope we've helped shed some light on how exactly a website’s DNS works. Realisation of the number and functions of all the records, record types, and mechanisms can be overwhelming, but getting around and understanding the basics and their functions will help guide you further in the world of DNS records: how the record sets are chosen, how they work, and how they can help you in the future.

Deeper dive into DNS records and record types, even historical records is made possible with SecurityTrails API. Get it today and start your research!


Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.