how to debug DNS propagation for a custom email domain
DNS records look right but email still fails? Step-by-step process to debug propagation for MX, SPF, DKIM, and DMARC records.
You changed your MX records, added SPF, published a DKIM key, and your email provider's dashboard still says "not verified." It's been two hours. Maybe three. You're refreshing the portal like it owes you something.
DNS propagation issues are the single most common reason custom domain email setups stall. The records are correct, the syntax is fine, but something between your registrar and the rest of the internet hasn't caught up yet. This guide walks through exactly how to debug it, record by record, tool by tool.
If you'd rather not wrestle with DNS at all, and it works immediately. No DNS required. But if you're already deep into TXT records, keep reading.
How to debug DNS propagation for a custom email domain#
Here's the full debugging process, start to finish:
- Lower your TTL to 300 seconds at least 24 hours before making any DNS changes.
- Add or update your MX, SPF, DKIM, DMARC, and domain verification TXT records at your DNS host.
- Run a global propagation check on dnschecker.org or whatsmydns.net for each record type individually.
- Use
digornslookupto confirm the record value matches exactly what your email provider expects, character by character. - Check for trailing spaces, subdomain misplacement, or quoting issues in TXT records.
- If the provider portal still shows "unverified," remove and re-add the domain to trigger a fresh validation attempt.
- Wait for the old TTL to expire, then re-test in the regions that were failing.
- Confirm all five record types resolve correctly from at least three continents before marking setup as complete.
Most issues resolve within 30 minutes if your TTL was already low. If you created records on a fresh domain with a default 24-hour TTL, expect a much longer wait.
The five records you need (and how to check each one)#
Email DNS isn't a single record. It's five independent records that all need to propagate on their own schedules.
MX records tell other mail servers where to deliver email for your domain. Wrong or missing MX records mean inbound mail bounces immediately. Check yours with:
dig MX yourdomain.com +short
**SPF records** declare which servers are authorized to send email on your domain's behalf. A missing SPF record won't block sending outright, but recipients will treat your messages as suspicious. SPF lives inside a TXT record:
dig TXT yourdomain.com +short | grep "v=spf1"
**DKIM records** are public keys published as TXT records under a selector subdomain (something like `selector1._domainkey.yourdomain.com`). They allow recipients to verify the email body wasn't tampered with in transit. The most common DKIM mistake is placing the record on the wrong subdomain:
dig TXT selector1._domainkey.yourdomain.com +short
DMARC records tie SPF and DKIM together with a policy telling recipients what to do when authentication fails. DMARC lives at _dmarc.yourdomain.com:
dig TXT _dmarc.yourdomain.com +short
Domain verification TXT records prove to your email provider that you control the domain. These are provider-specific, usually a random string you add to your root domain's TXT records.
All five must be live and correct at the same time. Four out of five won't do it.
Tip
Before changing any DNS records, lower the TTL on all email-related records to 300 seconds and wait 24 hours. This ensures old cached values expire globally before your new records need to take effect.
Why propagation looks complete but email still fails#
I see this catch people constantly. You check dnschecker.org, see green checkmarks across the globe, and assume everything is working. Then your provider's dashboard still reads "not configured."
Three common causes:
Your provider cached a negative result. When the provider first queried your domain and found no records, it stored that "not found" response internally. Even after global propagation completes, the provider may hold onto the stale result for hours. Removing the domain from the provider dashboard and re-adding it forces a fresh DNS lookup. Azure Communication Services, for example, has no manual "recheck" button, so this remove-and-readd approach is your only option.
You checked the wrong record type. dnschecker.org defaults to A records. If you're debugging email, you need to select MX or TXT from the dropdown explicitly. Green checks on A records tell you absolutely nothing about your mail configuration.
Regional resolver caching is stale. Your local ISP's recursive resolver may cache old records longer than the TTL suggests. Switch to a public resolver for testing:
dig @8.8.8.8 MX yourdomain.com +short
dig @1.1.1.1 TXT yourdomain.com +short
If the public resolvers show the correct value but your ISP's resolver doesn't, the issue is local caching and it will resolve on its own once the old TTL expires.
What happens to email during propagation#
Here's the question nobody answers clearly: what happens to mail sent to your domain while DNS records are still propagating across the globe?
If you're migrating from one email provider to another, both old and new MX records may be active in different regions at the same time. Some mail routes to the old server, some to the new one. This is expected behavior, not a bug. It's how DNS works during transitions, and both servers should be capable of accepting mail until propagation completes everywhere.
If you're setting up a brand-new domain with no prior MX record, the situation is worse. Mail sent before your MX records propagate will bounce permanently with a "no MX record found" error. Those messages are not queued or retried by the sender's server. The sender gets a bounce notification, and you never see the email. This is why you should verify propagation fully before sharing your new address with anyone.
For agents that need a working email address right now, waiting hours for DNS to settle across dozens of global resolvers is a non-starter. LobsterMail's @lobstermail.ai addresses work the instant they're created because the DNS is pre-configured. When you're ready to send from your own custom domain, LobsterMail validates propagation automatically and only activates the domain once every record is confirmed live.
Tools worth using#
I skip the ad-heavy SEO farm sites. These three actually do the job:
- whatsmydns.net shows propagation status from 49+ global locations. Select the record type manually; it defaults to A, which is useless for email debugging.
- dnschecker.org offers a similar global view with a different server list. Good for a second opinion when whatsmydns results look inconsistent.
digon your own machine gives the most control. Use+traceto follow the full resolution chain from root servers down to your authoritative nameserver, which pinpoints exactly where a stale cache is hiding:
dig +trace TXT _dmarc.yourdomain.com
For automated checks in CI pipelines or agent workflows, query DNS programmatically instead of refreshing a browser tab:
# Verify MX record matches expected value
dig +short MX yourdomain.com | grep -q "mail.provider.com" \
&& echo "MX OK" || echo "MX MISSING"
You can run this against multiple public resolvers (8.8.8.8, 1.1.1.1, 9.9.9.9) in a loop to approximate a global propagation check without any web UI.
When DNS isn't actually the problem#
Sometimes every record is correct and fully propagated, and email still doesn't work. At that point, stop debugging DNS. Look at these instead:
Sending reputation. A brand-new domain with no sending history will land in spam regardless of perfect authentication records. You need to warm the domain gradually over days, starting with small volumes to engaged recipients who will open and reply.
SPF alignment failures. SPF might pass on its own, but if the From: domain doesn't align with the Return-Path: domain, DMARC still fails. This is a common gotcha after switching providers, because the new provider's bounce address often uses a different domain than your visible From: header.
Content filtering. Some recipients run aggressive filters that reject or quarantine messages based on body content, link reputation, or attachment types. Perfect authentication doesn't override content-based rules.
Start with the eight-step debugging process at the top of this article before chasing reputation or content problems. Get DNS right first. If you'd rather skip DNS management entirely, LobsterMail handles record validation and propagation monitoring automatically when you connect a custom domain, and the free tier gets you started at $0 with 1,000 emails per month.
Frequently asked questions
How long does MX record propagation typically take?
Most MX record changes propagate within 5 to 30 minutes if your TTL was already set to 300 seconds or less. With a default 24-hour TTL, expect up to 48 hours in the worst case. Lowering the TTL a full day before making changes is the single most effective way to speed this up.
Why does my email provider show SPF or DKIM as 'not configured' when dig confirms the record is live?
Your provider likely cached a negative DNS result from before you added the record. Remove the domain from your provider's dashboard and re-add it to force a fresh lookup. Some platforms like Azure Communication Services have no manual recheck button, so this remove-and-readd workaround is your only option.
What TTL should I set on email DNS records before a planned migration?
Set all email-related records (MX, SPF, DKIM, DMARC, verification TXT) to a TTL of 300 seconds at least 24 hours before making any changes. This ensures old cached values expire from resolvers worldwide before you swap to new records.
How do I use dig to verify a DKIM TXT record has propagated?
Run dig TXT selector._domainkey.yourdomain.com +short, replacing selector with your provider's DKIM selector name. The output should match the public key value your provider gave you exactly. You can also paste the full record hostname into whatsmydns.net and select TXT as the record type.
What is the fastest way to confirm MX records are correct across multiple continents?
Use whatsmydns.net or dnschecker.org and select MX as the record type. Both tools query DNS servers on every continent and show results in seconds. If some regions show the old value while others show the new one, propagation is still in progress.
How can I tell if a propagation delay is caused by my registrar, my DNS host, or a recipient's cache?
Run dig +trace MX yourdomain.com to follow the resolution chain from root servers down to your authoritative nameserver. If the authoritative server returns the correct record but a regional resolver doesn't, the delay is in recursive resolver caching. If the authoritative server is wrong, the problem is at your DNS host or registrar.
What happens to emails sent to my domain during nameserver propagation?
During a migration, mail may split between old and new servers depending on which MX record each sender's resolver has cached. For brand-new domains with no prior MX record, emails sent before propagation completes bounce permanently and are not queued or retried by the sender.
Why would DNS propagation appear complete on dnschecker.org but email delivery still fails?
Three common causes: your email provider cached a stale negative result internally, you checked the wrong record type (A instead of MX or TXT), or the record value has a subtle mismatch like a trailing space or missing trailing period. Compare your dig output character by character against what the provider expects.
How do I force a domain verification recheck in Azure Email Communication Services?
Azure doesn't offer a manual recheck button. Remove the custom domain from your Communication Services resource and add it again. This triggers a fresh DNS validation attempt against the current live records.
What is the difference between A records, MX records, and TXT records for email debugging?
A records point your domain to a web server IP address and are not directly used for email delivery. MX records tell mail servers where to route email for your domain. TXT records carry text data including SPF policies, DKIM public keys, DMARC policies, and domain verification strings. When debugging email, always check MX and TXT records, not A.
Why do some regions show my DKIM record as propagated while others still show the old value?
Different regions rely on different recursive DNS resolvers, each maintaining its own independent cache. If those resolvers cached the old record (or a "not found" response) while a high TTL was active, they won't re-query your authoritative server until that cached TTL expires. This resolves on its own once the cache clears.
Can I run automated DNS propagation checks without visiting a web tool?
Yes. Use dig or nslookup in a shell script and query multiple public resolvers like 8.8.8.8, 1.1.1.1, and 9.9.9.9. Compare the output against your expected record value. This works well in CI pipelines or agent workflows where you need programmatic confirmation that records are live before proceeding.
What does it mean when SPF passes but emails still go to spam?
SPF passing means the sending server is authorized, but it's only one factor in deliverability. Emails can still land in spam due to poor domain reputation, missing DKIM or DMARC records, low sender score, suspicious content, or because the domain is brand new with no established sending history.
Does LobsterMail handle DNS setup for custom domains automatically?
LobsterMail tells you exactly which records to add and then monitors propagation on your behalf. Once all five records (MX, SPF, DKIM, DMARC, and verification TXT) are confirmed live globally, the domain activates automatically. See our guide on custom domains for agent email for the full walkthrough.
