What is DNS Propagation?
When you make changes to your DNS records — such as adding an SPF, DKIM, or DMARC record — those changes don't take effect immediately worldwide. This delay is called DNS propagation, and it's a common source of confusion during email authentication setup. Understanding how propagation works helps you plan DNS changes with confidence.
How DNS Propagation Works
DNS (Domain Name System) operates through a hierarchical system of servers that cache records to improve performance. When you update a record:
- You update the record at your DNS provider
- Your DNS provider's servers get the new record
- Other DNS servers worldwide still have the old cached record
- As caches expire, servers fetch the updated record
- Eventually, all servers have the new information
Propagation Timeline
| Scenario | Typical Time |
|---|---|
| Best case | 5–15 minutes |
| Average | 1–4 hours |
| Worst case | 24–48 hours |
| Very stubborn | Up to 72 hours (rare) |
Factors Affecting DNS Propagation Speed
TTL (Time To Live)
TTL tells DNS servers how long to cache a record. Lower TTL means faster propagation of changes.
| TTL Value | Cache Duration | Propagation Speed |
|---|---|---|
| 300 | 5 minutes | Fast |
| 3600 | 1 hour | Moderate |
| 86400 | 24 hours | Slow |
Your DNS Provider
Different providers have different internal propagation speeds:
- Major providers (Cloudflare, AWS Route 53): Often minutes
- Traditional registrars: May take longer
- Some providers batch updates on a schedule
Record Type
TXT records (used for SPF, DKIM, and DMARC) are typically cached moderately and propagate within a few hours.
Preparing for DNS Changes
1. Lower TTL in Advance
If your current TTL is high (e.g., 86400 / 24 hours):
- Change TTL to 300 (5 minutes) 24–48 hours before your planned change
- Wait for the old high TTL to expire across cached servers
- Make your actual record change
- Verify the change has propagated
- Optionally raise TTL back to the original value
2. Document Current State
Record your current DNS settings before making changes:
- Current SPF record and its value
- Current DKIM records and their selectors
- Current DMARC record and policy
- TTL values for each record
3. Plan Timing
- Avoid making changes before weekends or holidays
- Consider business-critical email schedules
- Have rollback procedures ready
Verifying DNS Propagation
Multiple Location Testing
Use tools that check DNS from servers around the world:
- whatsmydns.net — Shows propagation status across worldwide servers
- dnschecker.org — Tests from multiple global DNS servers
- MXToolbox — DNS propagation and email-specific validation
Clearing Your Local DNS Cache
Your computer caches DNS too. To see the latest records:
Windows:
ipconfig /flushdns
nslookup -type=txt example.com
macOS:
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder
nslookup -type=txt example.com
Linux:
sudo systemd-resolve --flush-caches
nslookup -type=txt example.com
Querying Specific DNS Servers
Test against well-known public DNS servers directly:
# Query Google's DNS
nslookup -type=txt example.com 8.8.8.8
# Query Cloudflare's DNS
nslookup -type=txt example.com 1.1.1.1
# Query your authoritative nameserver
nslookup -type=txt example.com ns1.yourdnsprovider.com
Common Propagation Issues
Old Record Still Showing
Symptoms:
- You updated the record but the old value still appears
- Some tests show the new value, some show the old
Solutions:
- Clear your local DNS cache
- Wait for TTL to expire
- Test from multiple locations
- Verify you updated the correct record at your DNS provider
Partial Propagation
Symptoms:
- Works from some locations but not others
- Intermittent verification success
Cause: Different DNS servers have different cache states. This resolves naturally over time.
Solution: Wait for full propagation — usually resolves within 4 hours.
DNS Provider-Specific Tips
Cloudflare
- Near-instant propagation typically
- Ensure the record is not proxied (use DNS-only / gray cloud for TXT records)
- TTL set to "Auto" uses approximately 5 minutes
GoDaddy
- Can take up to 48 hours
- Contact support for an internal cache flush if urgent
- Lower TTL well before making critical changes
AWS Route 53
- Usually propagates within minutes
- Use the built-in "Test record" feature
- Check that your hosted zone is active
Google Domains / Squarespace
- Typically 1–4 hours
- Verify in Google Admin Console if using Google Workspace
Emergency Procedures
If email is being blocked and you need faster propagation:
- Contact your DNS provider — Some offer cache flush for urgent changes
- Check for errors — Syntax errors prevent records from working regardless of propagation
- Temporary policy relaxation — If blocking email, temporarily relax your DMARC policy to
p=none - Verify the record — Ensure the record is correct before waiting further
Best Practices
- Plan ahead — Make non-urgent DNS changes during low-traffic periods
- Lower TTL first — Reduce TTL before any critical authentication changes
- Test thoroughly — Verify from multiple locations before declaring success
- Document everything — Keep records of changes and when they propagated
- Have patience — Most propagation issues resolve with time
Next Steps
- Troubleshoot Common SPF Issues that can mimic propagation problems
- Diagnose DKIM Failures that may be caused by missing DNS records
- Test your DNS records with our free DMARC Checker