DNS records that affect your security

By the zmam.ai team · 29 May 2026

On this page

DNS is the internet’s address book, and yours is published for the world to read. That openness is the point — it is how anyone finds your servers — but it also means a handful of records quietly determine how hard you are to impersonate or hijack. Most organizations set these records once and never look again, which is precisely how they go wrong.

The records that protect your email

Three of the most important security records are TXT records that govern mail:

SPF lists who may send email for your domain.
DKIM publishes the public key that verifies your signed mail.
DMARC (at _dmarc) sets the enforcement policy.

These get full treatment in SPF, DKIM, and DMARC explained .

CAA: deciding who may issue your certificates

A CAA (Certification Authority Authorization) record names which certificate authorities are allowed to issue certificates for your domain. Without one, any public CA can issue a certificate for your name — and an attacker who hijacks your DNS even briefly can get a valid certificate for a convincing phishing clone. A restrictive CAA record narrows that window.

Dangling records and the takeover economy

The most dangerous DNS problem is also the most boring: records you forgot to delete. A “dangling” record points at a service you no longer use — a CNAME aimed at a cloud bucket, SaaS app, or CDN you shut down. If someone else can re-claim that resource, they can serve content under your subdomain. This is a subdomain takeover, and it is not theoretical: the Hazy Hawk and Sitting Ducks campaigns turned exactly this mistake into mass infrastructure, hijacking subdomains of the CDC, major universities, and global firms — none of which were “hacked” in any conventional sense. A related 2026 incident saw a registry-level hijack of a single domain drain $1.2 million from its users.

General hygiene that pays for itself

Remove records for decommissioned hosts and services the moment you retire them.
Keep an inventory of your subdomains; the forgotten ones are the dangerous ones.
Protect your DNS provider account with strong, phishing-resistant authentication — control of your DNS is control of your domain.
Enable a registrar/registry lock on high-value domains.
Consider DNSSEC, where your provider supports it, to protect against DNS spoofing.

How zmam.ai helps

zmam.ai reviews your public DNS as part of its external scan — checking mail authentication, surfacing publicly visible subdomains and records, and flagging the hygiene gaps that lead to takeover. It reads only public DNS and changes nothing.