Intermediate

Records and mail authentication

Less-common DNS records (SRV, CAA, NS delegation, PTR), the lookup-tools toolbelt (dig, nslookup, Resolve-DnsName), and applying SPF, DKIM, and DMARC from a vendor's setup wizard.

~99 min total · 11 lessons · Final quiz
11 lessons

Lessons

  1. 01
    SRV records

    The service-locator record: structure, where helpdesk techs meet them (Teams, SIP, autodiscover), and the format mistakes that break vendor onboardings.

  2. 02
    CAA records: who can issue certificates

    A small DNS change with a delayed, expensive failure mode. Never publish a CAA without checking what currently issues.

  3. 03
    NS delegation and glue records

    Handing off a subdomain to a different DNS host, when glue is needed, and why delegation is escalation territory unless from a runbook.

  4. 04
    PTR awareness

    Reverse DNS is owned by the IP-block holder, not the registrant. Editing PTR at the client's DNS host can't work; the fix is a ticket with the hosting provider.

  5. 05
    Lookup tools: dig, nslookup, Resolve-DnsName, online

    The four ways to query DNS from the helpdesk, and the diagnostic split between authoritative and cached.

  6. 06
    You cannot enumerate a zone

    The gotcha that catches every tech once: dig ANY is neutered, AXFR is closed, and there is no public way to dump every record. The calibrated answer when a client says "send me all the records".

  7. 07
    Why email authentication exists

    The three records (SPF, DKIM, DMARC) and why none of them alone solves the unauthenticated-email problem SMTP left open.

  8. 08
    SPF in DNS

    The two firm rules helpdesk techs trip over: only one SPF per domain, and a 10-DNS-lookup limit on evaluation. Both violations silently turn SPF off.

  9. 09
    DKIM in DNS

    Per-message cryptographic signature, public key in DNS at a selector subdomain. The two forms (TXT or CNAME), and why multi-selector setups matter for key rotation.

  10. 10
    DMARC in DNS

    The policy layer on top of SPF and DKIM. Adding p=none is helpdesk; ramping to enforcement is design and escalates.

  11. 11
    Verifying email auth

    The four-step routine to run after any SPF, DKIM, or DMARC change. Catches the four common errors before the client notices.

  12. Final quiz

    Test what you learned. Wrong answers are explained on the spot.