What is a recommended TTL for SPF/DKIM/DMARC records?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You're setting up your email authentication records and wondering: how long should DNS caching last? TTL (time to live) matters more than you'd think, especially when things go wrong.
The default safe zone is 3600 to 86400 seconds (1 to 24 hours). For most stable setups, this is fine. Your SPF record rarely changes once you've locked it down. Same with DKIM. For most senders, setting TTL to 3600 seconds is a solid middle ground.
Here's where it gets nuanced. If you're rotating DKIM keys, consider lowering TTL to 300-600 seconds before you make the switch. Lower TTL means ISPs pick up your new key faster, reducing the window where messages might fail authentication. Same logic applies if you're moving your DMARC policy from 'none' to 'quarantine' or 'reject'. That's when slow propagation becomes a real problem.
Think of TTL as a trade-off. High TTL means faster delivery once a resolver caches your record, but changes take longer to roll out globally. Low TTL spreads updates faster but puts more load on your authoritative nameservers. For authentication records that rarely change, high is fine. For records you're actively modifying, go low temporarily, then bump it back up once you're done.
Most providers recommend 3600 for routine use. When you're making a change, drop to 300-600 before, let it sit for 24 hours so everything caches the new low value, then flip your record, then switch it back to 3600 after the change settles. That's the cautious approach.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.