All domains, to work, you need the DNS (Domain Name Server) that allow you to inform which IP address corresponds to each of the services that a domain can offer.
If you use the DNS of your web hosting provider (which usually has its own control panel or uses cPanel, Plesk or similar) it will already take care of creating everything… but it doesn’t hurt to understand what they do.
Choose the provider
Just as we have the company where we register a domain, the company that manages the DNS can be the same or different. There are some free providers that can be useful if you do not have this service.
- 1984: Although they focus on hosting, they have their Free DNS service for any user.
- BuddyNS: Although they only offer 300K requests/month, it is more than enough and they have a good distributed infrastructure.
- ClouDNS: Although the free version is not very wide, it is still another important and well-known distributed option.
- Cloudflare: They offer several services and it seems that right now they have about 40% of the DNS management in the world.
- FreeDNS: It is one of these services that the community makes available to everyone, always updated and up to date.
- Geoscaling: The interesting thing about this service is that it allows you to distribute the entries depending on the point of origin of the user. If a user is in America, you send it to a server in the US, if it is in Europe, to one in DE…
- Hurricane Electric Free DNS: Personally the one I like the most and one I use. It’s visually ugly, but functional and if you know ABOUT DNS it lets you do pretty much everything. They have also just added support to AAC and have dynamic service. They offer 50 free tickets.
- Namecheap FreeDNS: Although they focus on registering domains, you can use their DNS services for free even if the domain is not with them.
- NS1: It looks good, and your paid service looks very interesting. They offer 50 free tickets with 500K free consultations.
- Rackspace: They have the service simply free for signing up with them. They use the BIND9 standard in Anycast mode.
Setting up the domain
When you sign up for any provider (either your hosting, or any provider like the previous ones) you will have to be given at least two NS name servers. They are the famous
ns1.example.com ones and
ns2.example.com, which can actually be any hostname. They can give you up to 5 of them.
These NS are the ones you have to configure in your domain (or delegated subdomain). From that point on, when someone makes a call to your domain, the requests will be resolved as they are configured in the provider.
At this time, the DNS file will look like this:
example.com. SOA 86400 ns1.example.net. dnsmaster.example.net. 2019073102 86400 7200 3600000 86400 example.com. NS 86400 ns1.example.net example.com. NS 86400 ns2.example.net
The SOA entries are generated by the system, and the NS entries will be the same as the ones you will have to put in your domain.
What does my WordPress need?
We are going to propose that we will use our WordPress on the site
www.example.com. We also want the redirect to the
This would be the minimum necessary to make our website work, so we will have to create type A (and AAAA) entries.
example.com. A 3600 198.51.100.20 www.example.com. A 3600 198.51.100.20
If your provider also offers you IPv6, you could add an address with AAAA:
example.com. AAAA 3600 2001:db8::20 www.example.com. AAAA 3600 2001:db8::20
My provider puts CNAME on the www
The CNAME is an alias system. This means that if you do something like this:
example.com. A 3600 198.51.100.20 www.example.com. CNAME 3600 example.com
What you are doing is that, when a call is made to
www, the system returns that the IP is an alias of the
example.com; subsequently, a call must be made to the example.com to get the IP address. This means that to know the IP of the
www you will have to make two DNS requests instead of one, and that means time, and that means that Core Web Vitals will give worse results.
Your domain should always have an A entry
Another of the golden rules, although it has evolved, but on which many validation services are based, for example, mail services, is that the domain (without subdomains) has an A entry that resolves to an IP address. This, indirectly, indicates that the domain is functional. Also, on the other hand, a domain can only have A entries and not CNAME. Why? Internet standard stuff.
May I need more DNS for WordPress?
In principle with this you would have enough. Of course, from here a world of possibilities opens.
Validation in Webmaster Tools
One of the best ways to validate Google Search Console, Bing Webmasters or Yandex Webmasters. In these cases they usually give you two validation options. One is through a TXT, and another is through a CNAME.
For example, Google will ask you to create an entry similar to this:
example.com. TXT 86400 google-site-verification=VACXsfhn2ZMUB9QS2BpPtNqHYLN9qrAUaxyW
For Bing, it will ask you for a CNAME of a subdomain.
xnqzj8ky2j2xnf2nxxmn29a5.example.com. CNAME 86400 verify.bing.com
And Yandex will ask you for something similar to Google’s:
example.com. TXT 86400 yandex-verification: 4g7ye3mxtqyfrf62
The Bing CNAME entries will do is that if you make a call to that subdomain they give you, solve a Bing IP.
TXT-type entries, as you might guess, are text entries. They are free fields of between 1 and 255 characters that usually begin with a keyword type
yandex-verification, and then indicate a unique content.
I want email
The DNS entries on the email will have to be given to you by your mail provider. If you use shared hosting, they usually come already configured. If you use a service like Google Workspace or similar, they will tell you which DNS entries to add.
Still, there are some very basic elements for mail to work. The minimum is to have one or more MX type entries. Let’s use as an example the ones that Google asks you to put.
example.com. MX 10 86400 aspmx.l.google.com example.com. MX 20 86400 alt1.aspmx.l.google.com example.com. MX 20 86400
With these entries we are telling anyone who wants to send us an email that the inbox is on Google’s servers.
Validate who sends my email
This would be enough, but don’t we want spam or phishing? Well, by making a few improvements we can reduce this.
The first of the ways is through the SPF. These entries warn of what and who can send emails. Which machines can do it. As a general rule who sends mail on our behalf will be 2 places. The first of them is Gmail, because it is where we are going to receive the mail. The second is our own WordPress, which from time to time sends messages to us or to users.
example.com. TXT 86400 v=spf1 ip4:198.51.100.20 include:_spf.google.com -all
In this case we are going to indicate that emails will be sent from the IP in which we have our website (
ip4:198.51.100.20) or from one of the dozens of IPs from which Google sends. In this case we delegate to Google the management with an inclusion system (
include:_spf.google.com). In this subdomain they include their LIST of IPs.
With this we will make that, whoever receives an email from an IP that is not one of the valid ones, receives a message that that email may be suspicious, that is, that it has not been sent from a valid place.
Encrypt my email
Another problem that can exist with mail is that someone intercepts and modifies it. And since we do not want that to happen, we are going to encrypt it in some way so that whoever receives the mail can validate that it has not been manipulated. We achieve this through DKIMs.
Mail providers usually generate a key or allow you somewhere to generate it. Continuing with the case of Google, in the management panel it allows us to generate a key, which will be similar to this.
google._domainkey.example.com. 86400 TXT v=DKIM1; k=rsa; p=MIIBIjApp7LacTh6CG8nEjjpQIDAQAB;
If someone modifies a message, the person receiving the message could receive a warning that that message could have been tampered with.
Force protocols to be validated
Although most systems already use SPF and DKIM, they usually simply warn of problems, but do not force them to the maximum. For this we have the DMARC, which is the one that forces the policies to decide.
If we want the rules to be 100% complied with, we can add this element to the DNS.
_dmarc.example.com. TXT 86400 v=DMARC1; p=reject; pct=100; aspf=s; adkim=s;
With this we are telling you to reject emails that do not comply (
p=reject), to check 100% of the mail (
pct=100), to strictly check the SPF (
aspf=s), and to strictly review the DKIM (
My logo in the mail
In some services, such as Gmail, in some email accounts you can see the photo of the person who sends it to you. But mail isn’t always a Gmail user, or mail just isn’t a person. For these cases in which we want to configure a default image, we have the BIMI.
default._bimi.example.com. TXT 86400 v=BIMI1; l=https://www.example.com/imagen.svg; a=self;
Keep in mind that the BIMI system only supports images in SVG format.
Validate my Let’s Encrypt TLS certificate
There are many ways to validate a TLS certificate (which allows encryption for HTTPS), but if we want to achieve a higher level of security, one way to do it by configuring DNS.
Each provider has its own way of doing it, but if you have to create them manually, this would be the optimal way.
The first thing is to configure, in this case, that you can only generate Let’s Encrypt certificates and no other certificate system.
example.com. CAA 0 issue "letsencrypt.org" example.com. CAA 0 iodef "mailto:email@example.com"
In the first of the elements we tell you that the one that can generate certificates the Let’s Encrypt. In the second case we indicate to which email account we can receive notices in case the certificate has problems or is about to expire.
The next thing that the system can ask us is that we include an identifier to validate that we are the owners of the domain, and therefore the system can generate a valid certificate.
_acme-challenge.example.com. TXT 86400 hyuLQzJZACnXrW7Cu8DdKLQUS8V78YmBwXg6
Finally, and in case you are the owner (that the IP is dedicated to you) of an IP, you should configure the reverse resolution. In this case, what we do is validate that the IP can resolve and is valid. Continuing with the IP that we have configured at the beginning, the usual thing would be to have something like this.
This DNS entry does not have to be put in your domain, but you have to ask your provider, since he, being the owner of the IP, is the one who has to configure the resolution.
18.104.22.168.in-addr.arpa. PTR 86400 server.example.com.
Yes, there are more DNS entries
About this document
This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.