Records and mail authentication
Less-common DNS records (SRV, CAA, NS delegation, PTR), the lookup-tools toolbelt (dig, nslookup, Resolve-DnsName), and applying SPF, DKIM, and DMARC from a vendor's setup wizard.
Lessons
- 01 ~7 minSRV records
The service-locator record: structure, where helpdesk techs meet them (Teams, SIP, autodiscover), and the format mistakes that break vendor onboardings.
- 02 ~8 minCAA records: who can issue certificates
A small DNS change with a delayed, expensive failure mode. Never publish a CAA without checking what currently issues.
- 03 ~9 minNS delegation and glue records
Handing off a subdomain to a different DNS host, when glue is needed, and why delegation is escalation territory unless from a runbook.
- 04 ~6 minPTR awareness
Reverse DNS is owned by the IP-block holder, not the registrant. Editing PTR at the client's DNS host can't work; the fix is a ticket with the hosting provider.
- 05 ~9 minLookup tools: dig, nslookup, Resolve-DnsName, online
The four ways to query DNS from the helpdesk, and the diagnostic split between authoritative and cached.
- 06 ~7 minYou cannot enumerate a zone
The gotcha that catches every tech once: dig ANY is neutered, AXFR is closed, and there is no public way to dump every record. The calibrated answer when a client says "send me all the records".
- 07 ~7 minWhy email authentication exists
The three records (SPF, DKIM, DMARC) and why none of them alone solves the unauthenticated-email problem SMTP left open.
- 08 ~9 minSPF in DNS
The two firm rules helpdesk techs trip over: only one SPF per domain, and a 10-DNS-lookup limit on evaluation. Both violations silently turn SPF off.
- 09 ~8 minDKIM in DNS
Per-message cryptographic signature, public key in DNS at a selector subdomain. The two forms (TXT or CNAME), and why multi-selector setups matter for key rotation.
- 10 ~9 minDMARC in DNS
The policy layer on top of SPF and DKIM. Adding p=none is helpdesk; ramping to enforcement is design and escalates.
- 11 ~8 minVerifying email auth
The four-step routine to run after any SPF, DKIM, or DMARC change. Catches the four common errors before the client notices.
- Final quiz
Test what you learned. Wrong answers are explained on the spot.