Beyond the basic A and CNAME records covered in our DNS records article, four more record types matter for production sites: MX (mail routing), CAA (which authorities can issue your SSL certs), TXT for various meta-purposes, and DNSSEC for DNS integrity. This article covers each.
MX records: where mail goes
MX records tell the world which server handles mail for your domain. Without an MX record, no one can email you. Each MX has a priority — lower numbers go first; equal priorities load-balance.
Default MX setup on ipxcore
When you add a domain to cPanel, the standard MX configuration is:
yourdomain.com. MX 0 yourdomain.com.
This routes mail back to your own cPanel server, where Exim handles delivery to local mailboxes.
Using Google Workspace or Microsoft 365 instead
If you're hosting your website on ipxcore but email at Google Workspace or Microsoft 365, change the MX records:
Google Workspace
yourdomain.com. MX 1 smtp.google.com.
(Just one record; Google handles everything.)
Microsoft 365
yourdomain.com. MX 0 yourdomain-com.mail.protection.outlook.com.
Set MX in cPanel
- cPanel → Email Routing → pick the domain → choose "Remote Mail Exchanger" (so cPanel doesn't try to deliver locally).
- cPanel → Zone Editor → Manage next to the domain.
- Click + MX Record.
- Enter priority and destination, save.
Multiple MX servers (failover)
For redundancy:
yourdomain.com. MX 10 primary.mailprovider.com. yourdomain.com. MX 20 backup.mailprovider.com.
Sender mail servers try priority 10 first; if it's down, they try 20. Most modern mail providers handle redundancy internally and only need one MX record.
CAA records: which CAs can issue your SSL
A CAA (Certificate Authority Authorization) record tells the world which certificate authorities are allowed to issue SSL certificates for your domain. Without a CAA record, any CA can issue. With CAA, an attacker who tricks a non-listed CA can't mint a certificate.
The standard ipxcore CAA setup
Since AutoSSL on ipxcore uses Sectigo, your CAA should authorize Sectigo:
yourdomain.com. CAA 0 issue "sectigo.com" yourdomain.com. CAA 0 issuewild "sectigo.com" yourdomain.com. CAA 0 iodef "mailto:postmaster@yourdomain.com"
The iodef line tells CAs where to email if they receive an authorization request that doesn't match.
Add Let's Encrypt or Cloudflare too
If you're running multiple SSL providers (Cloudflare's edge cert plus AutoSSL on the origin), authorize all of them:
yourdomain.com. CAA 0 issue "sectigo.com" yourdomain.com. CAA 0 issue "letsencrypt.org" yourdomain.com. CAA 0 issue "digicert.com" yourdomain.com. CAA 0 issue "pki.goog"
Each line authorizes one CA. CAs not listed are denied.
Add CAA in cPanel
- cPanel → Zone Editor → Manage.
- Click + CAA Record.
- Enter:
- Tag:
issue(orissuewildfor wildcards) - Value: the CA's domain (e.g.,
sectigo.com) - Flag: 0
- Tag:
- Save.
TXT records: the multipurpose record
TXT records hold arbitrary text. Common uses:
- SPF —
v=spf1 +a +mx ~all - DKIM —
default._domainkey.yourdomain.comwith the public key - DMARC —
_dmarc.yourdomain.comwith policy - Domain ownership verification — e.g., Google Workspace verification, Cloudflare onboarding, AWS SES verification
Detail in our email deliverability article.
DNSSEC: DNS integrity
DNSSEC cryptographically signs DNS responses so a downstream resolver can detect tampering. Useful for high-trust environments (banks, payment processors, government). For typical small business sites, it's overkill but doesn't hurt.
Setting up DNSSEC requires both ends
- Your DNS provider signs your zone with a key pair (the DNSKEY records).
- The DS (Delegation Signer) record from your DNS provider must be uploaded to your domain registrar.
- Once both are in place, DNSSEC is active.
On ipxcore's default DNS (all1.dnsroundrobin.net), DNSSEC is not enabled. If you need it, the practical path is to use Cloudflare's DNS (free, supports DNSSEC) and enable it from Cloudflare's dashboard.
TTL strategy
TTL (Time To Live) tells DNS resolvers how long to cache an answer. Trade-offs:
- Short TTL (300 seconds): changes propagate quickly, but every visitor causes a DNS lookup. Higher load on DNS infrastructure. Use during migrations.
- Long TTL (86400 seconds = 1 day): low DNS load, fast for repeat visitors, but changes take a day to propagate. Use in steady state.
Recommended: 3600 (1 hour) by default. Lower to 300 two days before any DNS change, raise back after the change settles.
Verify your DNS
$ dig yourdomain.com A +short $ dig yourdomain.com MX +short $ dig yourdomain.com TXT +short $ dig yourdomain.com CAA +short $ dig yourdomain.com DS +short # DNSSEC $ dig yourdomain.com DNSKEY +short # DNSSEC keys
Online checkers:
- MXToolbox — A, MX, TXT, CAA, DNSSEC all in one
- DNSSEC Analyzer — specific to DNSSEC validation
- whatsmydns.net — check propagation across global resolvers
Common pitfalls
- MX record points at a CNAME. Some mail servers reject this. MX must point at a hostname that itself has an A record, not a CNAME.
- Multiple TXT records merging. If you have two SPF records, the result is "no valid SPF" — combine into one.
- CAA blocks AutoSSL. A CAA record exists but doesn't list
sectigo.com. AutoSSL fails. Add Sectigo or remove the CAA. - DNSSEC misconfiguration. Setting up DNSSEC at the DNS host but forgetting the DS record at the registrar leaves the chain broken — and on some configurations, breaks DNS for your domain entirely. Test thoroughly before activating.
