Email DNS Propagation: Why Your Records Still Look Wrong After Updating DNS
Learn why MX, SPF, DKIM, DMARC, and verification records can still look wrong after DNS updates, and how to tell propagation apart from real misconfiguration.
You updated your DNS records. You saved the changes. Everything looks correct inside Cloudflare, Namecheap, GoDaddy, or your DNS host.
But your email provider still says the records are missing. Or your DNS checker still shows the old MX record. Or your SPF fix appears in one tool but not another.
This is usually explained by DNS caching, wrong DNS location, nameserver changes, negative caching, or provider-side verification delay. This guide explains how to troubleshoot the issue without repeatedly changing records and making things worse.
On this page
Quick answer: why do DNS records still look wrong?
If updated email DNS records still look wrong, the most common causes are:
| Cause | What it means |
|---|---|
| DNS cache has not expired | A resolver is still showing the old record until TTL expires |
| You edited the wrong DNS host | The record was added somewhere, but not where live DNS is managed |
| Nameservers recently changed | Some resolvers may still be asking the old authoritative DNS provider |
| Negative caching | A previous record not found result may be cached temporarily |
| Provider verification is delayed | Google, Microsoft, or another provider may not have rechecked yet |
| Record was added under the wrong name | Example: DMARC added at @ instead of _dmarc |
| Record value has a typo | The record exists but does not match what the provider expects |
| Duplicate or conflicting records remain | Old MX, duplicate SPF, or multiple DMARC records confuse checks |
| Local device or ISP cache | Your computer, router, or ISP resolver may still show old results |
| Tool checks different resolvers | Different DNS tools may temporarily show different answers |
Do not keep changing DNS every few minutes. First confirm whether the record is visible at the authoritative DNS host.
What does DNS propagation actually mean?
DNS propagation is the common phrase people use when DNS changes take time to appear everywhere.
Technically, DNS does not update every server on the internet in one push. DNS works through caching.
When a resolver asks for a DNS record, it may store the answer for a period of time. That period is controlled by the record's TTL, or time to live.
If a resolver cached your old MX record before you changed it, that resolver may keep returning the old answer until the TTL expires. That is why one checker may show the new record while another checker still shows the old one.
DNS propagation explained simply
Think of DNS like people taking notes.
- Your authoritative DNS host has the official answer.
- A resolver asks for the answer.
- The resolver writes the answer down temporarily.
- Other users ask that resolver.
- The resolver gives the cached answer instead of asking again.
- When the cache expires, the resolver asks again and gets the new answer.
After a DNS update, there may temporarily be two versions of the same record.
| Location | What it may show |
|---|---|
| Authoritative DNS | New record |
| Some recursive resolvers | New record |
| Other recursive resolvers | Old cached record |
| Your computer or router | Old cached result |
| Email provider verification tool | Old or delayed result |
This is normal during a DNS transition.
The three places to check DNS
When troubleshooting email DNS propagation, separate these three layers:
| Layer | What it means | Why it matters |
|---|---|---|
| DNS dashboard | What you typed into Cloudflare, Namecheap, GoDaddy, or another DNS host | This proves you saved something |
| Authoritative DNS | What the official nameservers are publishing | This proves the live DNS host has the record |
| Recursive DNS | What public resolvers and users are seeing | This shows what many systems currently receive |
A record can look correct in your DNS dashboard but still not be live if you edited the wrong DNS host.
A record can be correct at authoritative DNS but still look old in recursive DNS because of caching.
Step 1: Confirm the active nameservers
Before blaming propagation, confirm where DNS is actually managed.
Nameservers tell the internet which DNS provider is authoritative for your domain.
| Role | Provider |
|---|---|
| Domain registrar | Namecheap |
| DNS host | Cloudflare |
| Website host | Vercel |
| Email provider | Google Workspace |
If the nameservers point to Cloudflare, then live MX, SPF, DKIM, DMARC, and verification records must be added in Cloudflare. Adding records at Namecheap will not update live DNS if Namecheap is only the registrar and Cloudflare is the active DNS host.
Signs you edited the wrong DNS host
- You added the record, but every DNS checker still says it is missing.
- The email provider cannot verify the record after a long wait.
- Your DNS dashboard shows the record, but authoritative lookups do not.
- You recently changed nameservers.
- You have similar DNS zones in multiple places.
Find the active nameservers first. Then add the record only at the active DNS host.
If the website works but email does not, the website works but email does not guide explains the wider DNS split.
Step 2: Understand TTL
TTL stands for time to live.
In DNS, TTL tells resolvers how long they may cache a DNS answer before asking again.
example.com MX 300 smtp.google.comIn this example, 300 means 300 seconds, or 5 minutes. If a resolver receives this answer, it can cache it for up to 5 minutes.
| TTL seconds | Human-readable time |
|---|---|
| 60 | 1 minute |
| 300 | 5 minutes |
| 600 | 10 minutes |
| 1800 | 30 minutes |
| 3600 | 1 hour |
| 14400 | 4 hours |
| 86400 | 24 hours |
Longer TTLs reduce DNS lookup load but make changes slower to appear everywhere. Shorter TTLs make future changes appear faster, but they do not always clear old cached records immediately.
Important: lowering TTL after the change does not clear old cache
This is a common mistake.
Suppose your old MX record had a TTL of 24 hours. A resolver cached that old MX record one hour before you changed it. Then you update the MX record and lower TTL to 5 minutes.
That resolver may still keep the old cached answer until the old 24-hour TTL expires. The new shorter TTL helps future lookups, but it does not force every resolver to forget what it already cached.
Practical rule
If you plan a migration, lower TTL before the migration, not after.
- Lower TTL 24 to 48 hours before the migration.
- Wait for old long-TTL caches to expire.
- Change MX records.
- Test routing.
- Raise TTL later if desired.
Step 3: Check authoritative DNS first
When debugging propagation, the best question is: are the authoritative nameservers publishing the new record?
If yes, your DNS host is publishing the change. Any old results elsewhere are likely cache or provider verification delay.
If no, the record was not published correctly or was added in the wrong place.
| Authoritative result | Meaning |
|---|---|
| New record appears | DNS host is publishing the update |
| Old record appears | The change was not saved, or the wrong zone or host was edited |
| Record missing | Record was added incorrectly or the wrong DNS host was edited |
| Wrong name appears | Record may have been added under the wrong host/name |
| Duplicate record appears | Old or conflicting records still exist |
Authoritative DNS is the source of truth for whether the DNS host is currently publishing the record.
Use the email DNS checker guide if you need a broader checklist for what to inspect.
Step 4: Understand recursive resolver cache
Most users and services do not query your authoritative nameserver directly every time.
They often use recursive resolvers such as ISP DNS resolvers, public DNS resolvers, corporate DNS resolvers, router-level DNS cache, device-level DNS cache, or email provider DNS resolvers.
These resolvers may cache the old answer until TTL expires. That is why two people can check the same domain and see different results.
Example
You changed MX from old hosting mail to Google Workspace. Authoritative DNS now shows:
example.com MX 1 smtp.google.comBut one resolver still shows:
example.com MX 10 mail.oldhost.comThis can happen if the resolver cached the old record before the change.
Step 5: Know what negative caching means
DNS can cache missing records too. This is called negative caching.
- Your DKIM record does not exist yet.
- A checker looks for
google._domainkey.example.com. - DNS returns record not found.
- A resolver caches that not found answer.
- You add the DKIM record.
- The same resolver may still show not found until the negative cache expires.
This is why newly added SPF, DKIM, DMARC, or verification records can appear missing even after you save them correctly.
| Record type | How negative caching can appear |
|---|---|
| MX | No mail routing found |
| SPF TXT | No SPF record found |
| DKIM TXT/CNAME | Selector still says missing |
| DMARC TXT | No DMARC found at _dmarc |
| Google verification TXT | Domain still not verified |
| Microsoft verification TXT | MS=ms... record still not found |
| Autodiscover CNAME | Outlook still cannot find the new target |
Check authoritative DNS. If the authoritative nameserver shows the new record, wait for recursive caches to catch up.
Step 6: Check the record name carefully
Sometimes the problem is not propagation. Sometimes the record is in the wrong place.
| Record | Correct name | Common wrong name |
|---|---|---|
| Root MX | @ or blank | www |
| SPF | @ | spf |
| DMARC | _dmarc | @ |
| Google DKIM | google._domainkey | google._domainkey.example.com.example.com |
| Microsoft DKIM | selector1._domainkey | selector1 only |
| Autodiscover | autodiscover | www.autodiscover |
| Verification TXT | Usually @ or provider-specific | Wrong subdomain |
DNS dashboards differ. Some automatically append your domain name.
If Cloudflare asks for the Name field, entering _dmarc.example.com may work in some cases, but the safer Cloudflare-style value is often _dmarc. Always check the final published hostname.
Step 7: Check the record value carefully
A record can publish quickly but still fail if the value is wrong.
| Record | Common mistake |
|---|---|
| MX | Wrong provider value or typo |
| SPF | Duplicate SPF records or wrong include |
| DKIM | Truncated public key or wrong CNAME target |
| DMARC | Missing v=DMARC1 or missing p= tag |
| Google verification | Copied wrong verification string |
| Microsoft verification | Copied wrong MS=ms... value |
| Autodiscover | Points to old provider |
| CNAME | Proxied when it should be DNS-only |
If the record exists but the provider still says invalid, compare the value character-by-character with the provider's instruction.
Step 8: Understand provider-side verification delay
Sometimes public DNS is already correct, but the provider admin panel has not refreshed yet.
This can happen with Google Workspace, Microsoft 365, Zoho, Proton Mail, Mailchimp, HubSpot, SendGrid, Mailgun, Klaviyo, domain verification tools, and DKIM verification tools.
The provider may not check DNS continuously. It may check on demand, on a schedule, or after you click a verify button.
- Return to the provider dashboard.
- Click verify, check again, or retry setup.
- Try again after some time.
- Avoid changing the record unless the provider shows a specific mismatch.
- If the provider still fails after a long time, check for exact name/value mistakes.
Do not assume DNS is wrong just because the provider dashboard has not refreshed immediately.
How long does email DNS propagation take?
There is no single guaranteed answer.
| Situation | Typical behavior |
|---|---|
| New record with low TTL | Often visible quickly |
| Changed record with old high TTL | Old answer may persist until old TTL expires |
| Nameserver change | Can take longer than a single record update |
| Provider dashboard verification | May lag behind public DNS |
| Negative cached missing record | Not found may persist temporarily |
| Google/Microsoft setup checks | Can take minutes to hours, sometimes longer |
| Complex migrations | Plan for up to 48-72 hours for full confidence |
For many Cloudflare DNS-only records using Auto TTL, changes may appear quickly. But local DNS cache, resolver cache, provider-side checking, and previous high TTLs can make the experience slower.
DNS propagation by record type
Different email DNS records fail in different ways.
| Record | What propagation issue looks like |
|---|---|
| MX | Some senders route to old provider, others to new provider |
| SPF TXT | Some checks show old SPF or duplicate SPF |
| DKIM TXT/CNAME | Provider says DKIM record missing |
| DMARC TXT | DMARC checker says no DMARC found |
| Verification TXT | Google/Microsoft says domain not verified |
| Autodiscover CNAME | Outlook still tries old provider |
| Nameserver records | Some resolvers ask old DNS host |
The troubleshooting method is similar: check authoritative DNS first, then check recursive DNS, then check the provider dashboard.
MX propagation: why some mail still goes to old provider
MX propagation is stressful because it can affect real incoming email.
You changed MX from old cPanel email to Google Workspace. Some senders may still have the old MX cached:
mail.oldhost.comOther senders may already see the new MX:
smtp.google.comDuring this transition, mail can temporarily split between providers.
- Create all users and aliases at the new provider.
- Lower MX TTL ahead of time if possible.
- Keep old provider access during transition.
- Change MX during low email volume.
- Monitor both old and new mailboxes temporarily.
- Read bounce messages.
- Do not delete the old account too early.
For MX-specific troubleshooting, use the MX record checker guide.
SPF propagation: why SPF still shows old or duplicate records
SPF is a TXT record, usually at the root domain. A common SPF problem is adding a new SPF record instead of editing the existing one.
Wrong:
v=spf1 include:_spf.google.com ~all
v=spf1 include:spf.protection.outlook.com -allCorrect if both providers genuinely send email:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~allIf a checker still shows duplicate SPF after you fixed it, possible causes include old TXT cache, wrong DNS host, a duplicate still in the active zone, SPF added at both root and another host, cached recursive DNS, or a DNS provider that has not published the change yet.
Check authoritative TXT records at the root domain. There should be only one TXT record starting with v=spf1.
For SPF cleanup, use the SPF record checker guide.
DKIM propagation: why DKIM still says missing
DKIM is selector-based.
- Are you checking the correct selector?
- Was the DKIM record added at the active DNS host?
- Is the record TXT or CNAME as required?
- Did you copy the full key or target?
- Did DNS propagate?
- Did the provider generate the key?
- Did you enable DKIM after adding DNS?
Example Google DKIM:
google._domainkey.example.comCloudflare Name field may be:
google._domainkeyExample Microsoft DKIM:
selector1._domainkey.example.com
selector2._domainkey.example.comCloudflare Name fields may be:
selector1._domainkey
selector2._domainkeyIf you check the wrong selector, the record may look missing even when DKIM exists.
For selector-specific troubleshooting, use the DKIM record checker guide.
DMARC propagation: why DMARC still says missing
DMARC must be published at:
_dmarc.example.comFor many DNS hosts, the Name field is:
_dmarcA safe starting value is:
v=DMARC1; p=none;- Record added at
@instead of_dmarc - Record added at wrong DNS host
- Typo in
_dmarc - Multiple DMARC TXT records
- DNS cache has not expired
- Provider or tool is checking cached DNS
- Record value has invalid syntax
Do not jump from no DMARC to p=reject because you are frustrated. Start safely with p=none if unsure, then tighten later after SPF/DKIM are working.
For policy rollout, use the DMARC record checker guide.
Verification TXT propagation: why Google or Microsoft cannot verify
Domain verification usually uses TXT or CNAME records.
Google verification values may look like:
google-site-verification=...Microsoft verification values may look like:
MS=ms...Use the exact value from the provider.
- Was the TXT record added at the active DNS host?
- Was it added at the correct name, usually
@unless the provider says otherwise? - Was the value copied exactly?
- Is there an extra quote, space, or typo?
- Are you verifying the correct domain?
- Has the provider rechecked DNS?
- Has enough time passed?
Do not copy a verification value from another domain or another account.
Nameserver propagation vs record propagation
Changing an MX record is not the same as changing nameservers.
Record change
A record change means you edited something like MX, TXT, or CNAME inside the current DNS host.
Nameserver change
A nameserver change means you changed which DNS provider is authoritative for the domain.
Before: Namecheap nameservers
After: Cloudflare nameserversNameserver changes can be more disruptive because some resolvers may still ask the old DNS host temporarily.
If you recently changed nameservers, make sure the new DNS host contains website records, MX, SPF, DKIM, DMARC, verification records, autodiscover, and any service-specific records.
If the new DNS zone is incomplete, the website may work but email may fail.
Cloudflare-specific propagation notes
If Cloudflare is your active DNS host:
- MX records are DNS-only.
- TXT records are DNS-only.
- SPF, DMARC, and verification records are TXT records.
- Google DKIM is often TXT.
- Microsoft DKIM is usually CNAME.
- DKIM CNAMEs should be DNS-only.
- Website A/CNAME records may be proxied, but email records are not orange-clouded.
Cloudflare Auto TTL for DNS-only records is commonly 300 seconds, but that does not guarantee every local cache or provider dashboard updates instantly.
| Mistake | Result |
|---|---|
| Editing DNS at registrar instead of Cloudflare | Live DNS does not change |
| Entering full domain twice | Record publishes at wrong hostname |
| Proxying DKIM/autodiscover CNAME | Verification or discovery may fail |
| Deleting website records while fixing email | Website breaks |
| Leaving old MX records | Mail may route to wrong provider |
| Adding duplicate SPF | SPF fails |
| Adding DMARC at root | DMARC not found |
For provider-specific Cloudflare setup, use the Google Workspace Cloudflare DNS guide or the Microsoft 365 Cloudflare DNS guide.
Why one DNS checker shows correct and another does not
Different tools may query different resolvers.
| Tool | May query |
|---|---|
| DNS checker A | Google Public DNS |
| DNS checker B | Cloudflare resolver |
| DNS checker C | Its own resolver cache |
| Email provider | Internal provider resolver |
| Your computer | ISP or router DNS |
| Command line tool | System-configured resolver |
If authoritative DNS is correct but recursive tools disagree, you are probably seeing cache differences.
If authoritative DNS is wrong, the record still needs fixing.
How to test DNS properly
- Check active nameservers.
- Check authoritative DNS.
- Check public recursive DNS.
- Check the provider dashboard.
- Test real email.
For email, the final test is actual sending and receiving.
- Does incoming email arrive?
- Does outgoing email arrive?
- Does SPF pass?
- Does DKIM pass?
- Does DMARC pass?
- Are emails going to inbox or spam?
- Are bounce messages gone?
DNS records are setup signals. Real email tests confirm the flow.
Should you flush DNS cache?
Sometimes flushing local DNS cache helps your own computer see new records faster. But it does not clear caches across the internet.
- Browser
- Operating system
- Router
- ISP resolver
- Public resolver
- Corporate network
- Email provider resolver
Flushing your computer's DNS cache can help your local view, but it will not force Google, Microsoft, or other mail servers to forget old cached records.
The main fix is correct DNS at authoritative nameservers, then waiting for caches and provider verification to update.
When to wait vs when to fix
| Situation | Best action |
|---|---|
| Authoritative DNS shows wrong record | Fix DNS |
| Authoritative DNS shows missing record | Fix DNS or wrong DNS host |
| Authoritative DNS is correct but recursive DNS is old | Wait for cache |
| Google/Microsoft says missing but authoritative DNS is correct | Retry verification and wait |
| Record is at wrong hostname | Fix hostname |
| Record value has typo | Fix value |
| Duplicate SPF still exists authoritatively | Remove duplicate |
| Multiple DMARC records exist authoritatively | Keep only one valid record |
| MX points to wrong provider authoritatively | Fix MX |
| Only your computer shows old result | Try another network/resolver or flush local cache |
Do not wait if authoritative DNS is wrong. Waiting does not fix an incorrect record.
Practical timeline for email DNS changes
First few minutes
Cloudflare or your DNS host may show the saved record. Authoritative DNS may update quickly. Some checkers may still show old results.
15 to 60 minutes
Many recursive resolvers may show the new result if TTL was short. Provider verification may start working. Some local caches may still show old results.
Several hours
Most ordinary DNS caches should update if TTL was moderate. Email routing may become more consistent. Provider dashboards may detect records.
24 to 72 hours
This is a higher-confidence window for email migrations, old MX caches, provider setup checks, and nameserver changes.
If you still see the wrong result after this and authoritative DNS is wrong, it is not propagation. It is configuration.
How to reduce propagation problems before a migration
- Identify active DNS host.
- Export or screenshot current DNS records.
- Lower TTL for key records ahead of time if possible.
- Create users and aliases at the new provider.
- Verify the domain with the new provider.
- Add SPF/DKIM/DMARC carefully.
- Plan MX switch during low email volume.
- Keep old provider active temporarily.
- Monitor both old and new inboxes.
- Save bounce messages for troubleshooting.
The best propagation fix is preparation.
Example: moving from cPanel email to Google Workspace
Before migration:
example.com MX 10 mail.example.comAfter migration:
example.com MX 1 smtp.google.comDuring propagation, some senders may still send to mail.example.com. Others may send to smtp.google.com.
- Create Google Workspace users.
- Add aliases and groups.
- Verify domain.
- Lower old MX TTL before migration if possible.
- Change MX to Google.
- Keep cPanel mail accessible for a transition period.
- Test email from several external accounts.
- Remove old MX records when ready.
- Add SPF, DKIM, and DMARC.
- Monitor bounces.
Example: moving from Google Workspace to Microsoft 365
Before migration:
example.com MX 1 smtp.google.comAfter migration:
example.com MX 1 example-com.mail.protection.outlook.comThe Microsoft value is domain-specific and must come from Microsoft 365 admin center.
- Add and verify domain in Microsoft 365.
- Create users and mailboxes.
- Add aliases, groups, or shared mailboxes.
- Add Microsoft SPF carefully.
- Prepare Microsoft DKIM CNAMEs.
- Add DMARC monitoring.
- Switch MX during low-volume period.
- Keep Google access temporarily.
- Test sending and receiving.
- Remove Google SPF include only if Google no longer sends mail.
Example: adding DKIM and provider says not found
You added:
google._domainkey.example.comwith a long TXT value from Google Admin. But Google still says it cannot find the record.
- Record added at wrong DNS host.
- Name field was entered incorrectly.
- Public key was copied incompletely.
- Google is checking cached DNS.
- You clicked verify too soon.
- The record is visible authoritatively but not to Google yet.
- Check active nameservers.
- Check authoritative DNS for
google._domainkey.example.com. - Confirm TXT value is complete.
- Wait for propagation.
- Return to Google Admin and retry authentication.
Do not create a second DKIM record with guessed values.
Example: adding DMARC and checker still says missing
You added:
v=DMARC1; p=none;But the checker says no DMARC. A common cause is adding it at example.com instead of _dmarc.example.com.
| Field | Correct value |
|---|---|
| Name | _dmarc |
| Value | v=DMARC1; p=none; |
If authoritative DNS shows the record at _dmarc, the checker may be cached. If authoritative DNS does not show it, fix the DNS name.
What not to do during propagation
- Do not repeatedly delete and re-add records every few minutes.
- Do not change website records because email records are slow.
- Do not create duplicate SPF records.
- Do not add multiple DMARC records.
- Do not guess DKIM values.
- Do not switch between DNS providers mid-troubleshooting.
- Do not delete old email provider access immediately after MX change.
- Do not assume every checker uses the same resolver.
- Do not ignore bounce messages.
- Do not wait 72 hours if authoritative DNS is clearly wrong.
- Do not assume propagation fixes typos.
Propagation explains delay. It does not fix incorrect DNS.
Final troubleshooting checklist
- Confirm the active nameservers.
- Confirm the record was added at the active DNS host.
- Check authoritative DNS.
- Check recursive DNS only after authoritative DNS is correct.
- Confirm the record name/host is correct.
- Confirm the value is exact.
- Check for duplicate SPF records.
- Check for multiple DMARC records.
- Check for old MX records.
- Check whether DKIM selector is correct.
- Consider negative caching for newly added records.
- Retry provider verification.
- Test real email sending and receiving.
- Wait for cache only after DNS is confirmed correct.
If authoritative DNS is wrong, fix it. If authoritative DNS is right but recursive tools disagree, wait.
Run an email DNS propagation check
Use Domain Email Doctor to scan your domain's public email DNS records after making changes.
The scan can help you see whether MX, SPF, DKIM, DMARC, and nameserver records are visible publicly, and whether the problem looks like propagation, wrong DNS host, wrong record name, or an actual misconfiguration.
Check the DNS result before changing more records. Most email DNS issues get worse when people keep editing without knowing whether the previous change has actually published.
Quick checklist
- Active nameservers are confirmed.
- The record was added at the active DNS host.
- Authoritative DNS is checked before recursive DNS.
- TTL and cached old answers are considered.
- Lowering TTL after the change is not treated as a cache clear.
- Negative caching is considered for newly added records.
- The record name/host is correct.
- The record value exactly matches provider instructions.
- Duplicate SPF and multiple DMARC records are checked.
- Old MX records are checked during migrations.
- DKIM selector is checked before assuming DKIM is missing.
- Provider dashboard verification is retried after DNS is correct.
- Real email sending and receiving are tested.
- Repeated DNS edits are avoided while caches expire.