[{"data":1,"prerenderedAt":224},["ShallowReactive",2],{"seo-blog/dns-change-broke-email":3},{"slug":4,"kind":5,"archetype":5,"cluster":6,"navGroup":6,"navLabel":7,"meta":8,"breadcrumbs":12,"hero":20,"sections":59,"article":221},"blog/dns-change-broke-email","hub","resources","A DNS Change Broke a Client's Email",{"title":9,"description":10,"canonicalPath":11},"A DNS Change Broke Client Email — and Nobody Noticed","A changed MX record or deleted CNAME can silently kill email and services while the website stays up. Here's how DNS changes break things quietly — and how to catch them.","/blog/dns-change-broke-email",[13,16,19],{"label":14,"href":15},"Home","/",{"label":17,"href":18},"Blog","/blog",{"label":7,"href":11},{"eyebrow":21,"headline":22,"intentStatement":23,"bullets":24,"primaryCta":34,"secondaryCta":37,"proofPanel":40},"DNS incidents","A DNS Change Broke a Client's Email — and Nobody Noticed for Days","The website was up the whole time. That's what made it so bad. A single MX record changed during an unrelated migration, and the client's inbound email started bouncing — silently, for days, while every uptime check stayed green. DNS is the one layer where a one-character edit can take down email, APIs, and subdomains without touching the homepage. Here's how these changes break things quietly, how to confirm the cause, and how to get alerted the moment a record drifts.",[25,28,31],{"icon":26,"text":27},"heroicons:envelope","How MX/CNAME changes silently break email & services",{"icon":29,"text":30},"heroicons:magnifying-glass","How to confirm a DNS change is the cause",{"icon":32,"text":33},"heroicons:shield-check","How to get alerted when a record drifts",{"label":35,"href":36},"Monitor your DNS records","/features/dns-monitoring",{"label":38,"href":39},"Check your site now","/tools/is-my-website-down",{"type":41,"reportTitle":42,"severity":43,"findings":44,"generatedAt":58},"report","DNS record drift detected","incident",[45,48,51,53,55],{"label":46,"status":47},"Website (A record): unchanged","pass",{"label":49,"status":50},"MX record: changed","fail",{"label":52,"status":50},"Mail server no longer resolves",{"label":54,"status":50},"Inbound email bouncing",{"label":56,"status":57},"Uptime check: all green","info","Site up — email silently down",[60,67,81,114,119,144,166,184,213],{"id":61,"tocLabel":62,"type":63,"eyebrow":64,"heading":65,"html":66},"what-happened","What happens","prose","The failure","Why a DNS change is the quietest outage there is","\n\u003Cp>DNS is the layer almost nobody watches, because most monitoring is pointed at the website — the A record, the homepage, the HTTP status. But a domain's DNS zone holds far more than that: \u003Ccode>MX\u003C/code> records route email, \u003Ccode>CNAME\u003C/code> records point subdomains and third-party services, \u003Ccode>TXT\u003C/code> records carry SPF/DKIM that decide whether your mail is trusted, and \u003Ccode>NS\u003C/code> records control the whole zone.\u003C/p>\n\u003Cp>Change any of those and the website never flinches. The homepage keeps returning 200 OK. The padlock stays green. And yet:\u003C/p>\n\u003Cul>\n\u003Cli>A changed or deleted \u003Ccode>MX\u003C/code> record means inbound email stops arriving — and senders may get bounces, or worse, nothing at all.\u003C/li>\n\u003Cli>A removed \u003Ccode>CNAME\u003C/code> breaks a subdomain: \u003Ccode>app.\u003C/code>, \u003Ccode>mail.\u003C/code>, \u003Ccode>status.\u003C/code>, or a third-party service that pointed at it.\u003C/li>\n\u003Cli>An edited \u003Ccode>TXT\u003C/code>/SPF record means your outbound email starts landing in spam — technically delivered, functionally invisible.\u003C/li>\n\u003C/ul>\n\u003Cp>\u003Cstrong>Why it's an \"up but broken\" problem:\u003C/strong> the thing everyone monitors (the site) is fine, and the thing that actually broke (email, a subdomain, an API endpoint) isn't being checked at all. This is the same blind spot \u003Ca href=\"/website-monitoring\">website monitoring\u003C/a> closes for the front end — extended to the DNS zone underneath it.\u003C/p>\n",{"id":68,"tocLabel":69,"type":70,"stats":71},"trust","Trust","trust-strip",[72,75,78],{"value":73,"label":74},"20","Detection rules",{"value":76,"label":77},"5–30 min","Check intervals",{"value":79,"label":80},"Free","1 site",{"id":82,"tocLabel":83,"type":84,"eyebrow":85,"heading":86,"items":87},"how-it-happens","How it happens","failure-modes-grid","The usual suspects","How DNS changes break things without warning",[88,93,96,100,105,109],{"icon":89,"title":90,"description":91,"severity":92},"heroicons:arrows-right-left","Nameserver migration drops records","Moving DNS to a new provider (or a new host's \"we'll manage your DNS\" offer) imports the A record but misses the MX, TXT, and CNAME records. The website moves cleanly; email and subdomains silently break.","critical",{"icon":26,"title":94,"description":95,"severity":92},"Email provider switch, half-finished","Migrating from one mail provider to another means updating MX, SPF, DKIM, and DMARC. Miss one MX line or leave a stale SPF entry and mail bounces or gets flagged as spam.",{"icon":97,"title":98,"description":99,"severity":92},"heroicons:pencil-square","A typo in a single record","One wrong character in an MX hostname or a CNAME target, and the record resolves to nothing. DNS doesn't validate that the target actually works — it just serves what you typed.",{"icon":101,"title":102,"description":103,"severity":104},"heroicons:trash","A \"cleanup\" that deleted a live record","Someone tidies the zone and removes a CNAME they assumed was unused — the one pointing a client's booking subdomain at a SaaS tool. It was very much in use.","moderate",{"icon":106,"title":107,"description":108,"severity":104},"heroicons:clock","TTL and propagation masking the change","Long TTLs mean a bad change can look fine for hours (cached) and then break everywhere at once when caches expire — long after the person who made the change has logged off.",{"icon":110,"title":111,"description":112,"severity":113},"heroicons:building-office-2","Registrar auto-changes","A registrar \"parks\" a domain, resets nameservers on renewal, or applies a default zone after a billing hiccup — wiping custom records you set up months ago.","low",{"id":115,"tocLabel":116,"type":63,"eyebrow":117,"heading":30,"html":118},"confirm","Confirm it","Diagnosis","\n\u003Ch3>1. Query the records directly\u003C/h3>\n\u003Cp>Don't trust the registrar dashboard — query what the world actually sees. For email: \u003Ccode>dig MX yoursite.com +short\u003C/code>. For a subdomain: \u003Ccode>dig CNAME app.yoursite.com +short\u003C/code>. For mail trust: \u003Ccode>dig TXT yoursite.com +short\u003C/code> and look at the SPF line. Compare what you get against what should be there.\u003C/p>\n\u003Ch3>2. Check from multiple resolvers\u003C/h3>\n\u003Cp>Run the same query against Google (\u003Ccode>dig @8.8.8.8 MX yoursite.com\u003C/code>) and Cloudflare (\u003Ccode>dig @1.1.1.1 MX yoursite.com\u003C/code>). If they disagree, you're mid-propagation — a recent change hasn't fully rolled out yet.\u003C/p>\n\u003Ch3>3. Confirm the symptom matches the record\u003C/h3>\n\u003Cp>Email bouncing → look at MX and SPF/TXT. A dead subdomain → look at its CNAME/A record. Outbound mail going to spam → look at SPF, DKIM, DMARC TXT records. The record type tells you exactly which service the change took down.\u003C/p>\n\u003Ch3>4. Find out when it changed\u003C/h3>\n\u003Cp>This is the expensive part. DNS changes rarely come with a changelog, and the symptom (bounced email, a quiet subdomain) often goes unreported for days. The fix is usually a one-line edit; the damage is everything that silently failed in between. That gap is why DNS belongs in continuous monitoring — see \u003Ca href=\"/features/dns-monitoring\">DNS monitoring\u003C/a> — rather than something you only check when a client complains.\u003C/p>\n",{"id":120,"tocLabel":121,"type":122,"eyebrow":123,"heading":124,"steps":125},"fix","Fix & prevent","how-it-works-stepper","Recovery","How to fix it and stop it recurring",[126,130,134,139],{"number":127,"icon":97,"title":128,"description":129},"1","Restore the correct record","Re-add the missing MX/CNAME/TXT record with the exact correct target. If you have an export of the old zone file, use it as the source of truth rather than rebuilding from memory.",{"number":131,"icon":106,"title":132,"description":133},"2","Account for TTL","The fix propagates on the record's TTL. If TTLs are long, the broken value may still be cached for some users. During migrations, lower TTLs in advance so changes (and rollbacks) take effect fast.",{"number":135,"icon":136,"title":137,"description":138},"3","heroicons:envelope-open","Verify the affected service, not just DNS","Send a test email end-to-end. Load the subdomain. Confirm the actual service recovered — DNS resolving correctly and email actually flowing are two different checks.",{"number":140,"icon":141,"title":142,"description":143},"4","heroicons:bell-alert","Add record-level monitoring","Snapshot the full zone — MX, CNAME, TXT, A, NS — and alert on any drift. The next time a record changes, you find out the same day, not when a client asks why they stopped getting emails.",{"id":145,"tocLabel":146,"type":147,"eyebrow":148,"heading":149,"items":150},"prevention","Prevention","benefits-grid","Never again","How to catch DNS drift before clients do",[151,155,159,163],{"icon":152,"title":153,"description":154},"heroicons:document-magnifying-glass","Record-level change detection","Sitewatch tracks your MX, CNAME, TXT, A, and NS records and alerts on any change with a before/after diff — so a silent edit becomes an immediate, actionable signal.",{"icon":156,"title":157,"description":158},"heroicons:lock-closed","Pairs with SSL & domain expiry","DNS, certificates, and domain registration are the three \"invisible infrastructure\" failures that take a site or service down without an error. Sitewatch watches all three on every plan — see SSL certificate monitoring and domain expiry monitoring.",{"icon":160,"title":161,"description":162},"heroicons:building-office","Built for agencies and freelancers","Watching DNS across a portfolio of client domains means you catch the broken MX record before the client emails you — which is the difference between looking proactive and looking asleep.",{"icon":141,"title":164,"description":165},"Alerts on the channels you check","Slack, email, or webhook — with the record name and the exact change, so you know whether it's email, a subdomain, or the whole zone that just moved.",{"id":167,"tocLabel":168,"type":169,"heading":170,"items":171},"faq","FAQ","faq-accordion","Common questions",[172,175,178,181],{"question":173,"answer":174},"Why didn't my uptime monitor catch a broken MX record?","Uptime monitors check the website — the A record and an HTTP response. They don't query MX, CNAME, or TXT records, and they don't test email delivery. So when an MX record breaks, the website stays green while inbound email silently bounces. Detecting it requires monitoring the DNS records themselves.",{"question":176,"answer":177},"How long does a DNS change take to break things?","It depends on TTL. A record with a 300-second TTL propagates in minutes; one with a 24-hour TTL can take a full day, and during that window some users see the old (working) value and some see the new (broken) one. This staggered failure is why DNS problems are so confusing to diagnose after the fact.",{"question":179,"answer":180},"Can a DNS change hurt my email deliverability without bouncing mail?","Yes. If an SPF, DKIM, or DMARC TXT record is edited or dropped, your outbound mail may still be delivered — straight to recipients' spam folders. It's technically working and functionally broken, which is the hardest kind of failure to notice because no one reports email they never saw.",{"question":182,"answer":183},"What records should I monitor for a client domain?","At minimum: MX (inbound email), the SPF/DKIM/DMARC TXT records (email trust), CNAME records for any active subdomains or SaaS integrations, the A/AAAA records for the site, and NS records for the zone itself. Any unexpected change to these is worth an alert.",{"id":185,"tocLabel":186,"type":187,"eyebrow":188,"heading":189,"links":190},"related","Related","related-links-grid","Keep reading","Related resources",[191,195,199,204,208],{"label":192,"href":36,"description":193,"icon":194},"DNS Monitoring","Get alerted when MX, CNAME, or TXT records change.","heroicons:globe-alt",{"label":196,"href":197,"description":198,"icon":156},"SSL Certificate Monitoring","/features/ssl-certificate-monitoring","Catch expiring and broken certificates early.",{"label":200,"href":201,"description":202,"icon":203},"Domain Expiry Monitoring","/features/domain-expiry-monitoring","Never lose a domain to a missed renewal.","heroicons:calendar-days",{"label":205,"href":206,"description":207,"icon":32},"Website Monitoring","/website-monitoring","How Sitewatch catches \"up but broken\" failures.",{"label":209,"href":210,"description":211,"icon":212},"Why Is My Website Down?","/blog/why-is-my-website-down","10 common causes of downtime, including DNS.","heroicons:document-text",{"id":214,"tocLabel":215,"type":216,"heading":217,"subtext":218,"primaryLabel":219,"primaryHref":220},"cta","Get started","cta-strip","Know the moment a DNS record changes","Free plan available. Continuous DNS, SSL, and domain monitoring — so a silent record change can't take down client email.","Start free monitoring","https://app.getsitewatch.com",{"headline":22,"datePublished":222,"dateModified":222,"authorName":223},"2026-06-07","Sitewatch Team",1780857880424]