What does TTL (Time To Live) mean for DNS records?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You update your SPF record, wait a few minutes, then check your authentication and it still shows as failing. Is the record wrong? Did it not save? Maybe. But there's a good chance it's actually a TTL issue.
TTL (Time To Live) is a number, measured in seconds, that tells DNS resolvers how long to cache a record before checking for updates. When a resolver looks up your SPF or DKIM record, it grabs the value and stores it locally for however long the TTL says. Until that timer runs out, the resolver won't go back to ask your DNS host for a fresh copy. It just serves the old cached version.
So if your SPF record had a TTL of 3600 (one hour) when you made a change, some resolvers might still be serving the old record for up to an hour after you saved the new one. That's not a bug. That's TTL doing exactly what it's supposed to do.
What happens when you change a record
Every resolver on the internet has its own cache. When you update a DNS record, each resolver will keep using the old version until its cached copy expires. Then it re-fetches the new one. This is why propagation isn't instant. Different resolvers expire their cache at different times, so there's a window where some mail servers see your new record and others still see the old one.
Lower TTL vs higher TTL
A lower TTL (like 300 seconds, or 5 minutes) means resolvers check for updates more frequently. Changes travel faster. The trade-off is slightly more DNS query traffic to your authoritative server. For email authentication records like SPF, DKIM, and DMARC, a lower TTL is worth it. These records change occasionally, and when they do change, you want the update to reach mail servers fast.
A higher TTL (like 3600 to 86400 seconds) means fewer queries and better caching across the network. That's fine for records that almost never change. But if you update a record with a 24-hour TTL and something goes wrong with your authentication, you're potentially waiting a full day for a fix to propagate everywhere.
A practical tip: if you know you're about to make a DNS change, lower your TTL to 300 a day or two beforehand. That way the old high TTL has time to expire before you make the switch, and your change spreads quickly when you do make it. Once things are stable, you can raise it again. (Of course, that requires remembering to do it in advance, which is easier said than done.)
You can check how your current SPF record looks to the outside world using our free SPF checker. If you're mid-change and not sure whether propagation is the problem or something else, that's a good place to start.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.