When teams roll out new domains for transactional or marketing emails, there’s an invisible layer of infrastructure that plays an outsized role in success — DNS. While often forgotten after initial setup, DNS records like SPF, DKIM, and DMARC are foundational to ensuring email deliverability. Unfortunately, DNS changes aren’t always immediate, and this delay can result in critical service outages, even when everything *seems* to be correctly configured.
TL;DR
A global marketing platform experienced email service interruptions due to DNS propagation delays after launching new sending domains. What seemed like minor configuration differences turned into hours of undelivered mail. This article explains what went wrong, how DNS behavior played a central role, and what monitoring and TTL strategies were adopted to prevent future occurrences. By understanding DNS propagation and optimizing TTL settings, you can dodge similar disasters and improve infrastructure resilience.
The Incident: Domain Live, Emails Dead
The trouble began during a routine product launch. As part of a broader email localization effort, a tech company rolled out several new domains to enhance their sender reputation across different regions — e.g., updates.eu.productapp.com for Europe and news.asia.productapp.com for Asia. The plan was simple: configure DNS with the appropriate SPF, DKIM, and DMARC records, hook up the domains within the mailing service, and flip the switch.
Except when the switch was flipped, emails failed silently.
The marketing team initiated their first campaign using the new domains, and over 60% of messages either went missing or landed in spam folders. Diagnostics showed that DKIM signatures weren’t verifying, SPF checks were failing, and DMARC was rejecting messages across major email providers like Gmail and Outlook. Yet, internal DNS checks showed perfectly valid entries.
This contradiction led to hours of troubleshooting: Was it a configuration issue? A software bug? A rate limit?
Root Cause: The Ghost in the DNS (Propagation)
The truth lay in the uneven propagation of DNS records — specifically the DKIM TXT records. Although the records had been set up correctly on authoritative DNS servers, the global DNS infrastructure hadn’t yet fully cached and recognized them. Some ISPs and inbox providers queried stale or missing records due to long TTLs and their own caching policies.
This meant that although querying the domain from the hosting provider’s own network resolved correctly, queries from other networks (like Google and Microsoft) did not see the required DNS entries yet. The deeper investigation found that the DKIM public keys — placed in DNS as TXT records — had propagated only partially for some subdomains, even after 2-3 hours.
Here’s a breakdown of what went wrong:
- DNS Propagation Delays: Some records took over 12 hours to fully propagate globally, especially in regions with aggressive DNS caching.
- High TTLs: Default TTL (Time To Live) values for DNS records were set to 86400 seconds (24 hours), hurting responsiveness to configuration updates.
- Lack of External Monitoring: Internal tests passed since the company’s DNS servers returned updated records instantly, masking the real world impact.
The Fix: Rethinking TTL and Building Visibility
Once the cause was clear, the engineering team applied a multi-pronged fix:
1. DNS TTL Optimization
One of the major lessons was the importance of TTL when making changes to DNS, especially for critical services like email authentication.
- TTL for DKIM and SPF TXT records was reduced to 300 seconds during the initial deployment window.
- This allowed records to refresh often and rapidly recover from stale caches.
- Once the propagation was confirmed stable globally (typically after 24–48 hours), TTLs were safely raised back to 3600 or 7200 seconds.
2. External Monitoring of DNS Records
The team also implemented third-party DNS monitoring across regions to detect and alert when DNS records didn’t match expected patterns. Using global DNS checkers and dedicated tools, they built a dashboard that would:
- Verify the presence and correctness of SPF, DKIM, and DMARC records from multiple global locations.
- Track propagation timeframes per record and provide real-time updates on inconsistencies.
- Raise alerts when critical authentication records were missing, expired, or invalid.
This approach added a vital external vantage point to existing internal verification mechanisms.
3. Staging Domain Validation Process
A more rigorous staging process was established for domain onboarding:
- Before switching domains to production use, test messages were sent to inboxes on major email providers (Gmail, Yahoo, Outlook) using the new domain.
- Returned email headers were analyzed to confirm SPF/DKIM/DMARC alignment and successful validation.
- A temporary status dashboard gave stakeholders a green light after all tests were passed in real-world environments.
Lessons Learned: DNS Is Infrastructure, Treat It That Way
This incident highlighted how something as seemingly minor as a DNS TXT record can have an enormous impact when operating at scale. Clearly, DNS misconfigurations aren’t just minor hiccups — they’re downtime risks. The long-term takeaways were instructive for any team deploying applications or services that rely on DNS:
- Always verify externally: Just because your internal systems see the DNS values doesn’t mean the internet does.
- Tune TTLs for agility during changes: Lower is better when adding or modifying records — not forever, but temporarily during rollout windows.
- Understand the pace of propagation across regions: Some countries and ISPs can cache old DNS values far longer than expected.
- Document a rollback plan: In the event of partial or failed propagation, having a path to revert to previous working domains can save reputational damage.
Advice for Similar Operations
If your organization is considering new sending domains or changes to email infrastructure, these practices can drastically reduce deployment friction:
Before Deployment:
- Use low TTLs (300s) on all new authentication TXT records.
- Run propagation checks using global DNS lookup tools.
- Test end-to-end delivery through different ISPs and inboxes.
During Rollout:
- Monitor authentication results in email headers (look for ‘pass’ on SPF/DKIM/DMARC).
- Track bounce rates and spam complaints closely within the first 24 hours.
- Keep communication channels open between engineering, marketing, and customer support teams for fast validation.
Post-Deployment:
- Raise TTLs back to optimized values once stability is confirmed.
- Document the timeline of the change and lessons learned.
- Review monitoring coverage so every public-facing DNS dependency is observed.
Final Thoughts: Small Configs, Big Impact
The fragility of email delivery pipelines often stems from dependencies outside your direct control, like DNS caching behaviors of third-party resolvers. By acknowledging this, engineering teams can build greater resilience by aligning rollout processes with infrastructure reality — including the invisible dance of DNS propagation.
DNS issues don’t always look like outages until it’s far too late. But with better TTL strategy, external monitoring, and staged deployment, they can be prevented. In a world driven by customer engagement and deliverability metrics, that’s a lesson worth learning the easy way.
