Why do emails fail to deliver after switching DNS nameservers without MX record changes?

Key findings

• DNS propagation: The most common reason for partial email delivery failure after a nameserver switch is that DNS changes haven't fully propagated across the internet. Different DNS resolvers (used by various email servers) update their cache at different rates, based on the Time to Live (TTL) values set on your DNS records.
• Cached nameservers: Some sending mail servers may still be querying your old, cached nameservers, which are no longer active or reachable. If these servers cannot connect to the old nameservers, they cannot resolve your MX records and reject the mail.
• DNSSEC incompatibility: If your domain was previously configured with DNSSEC and you moved to nameservers that do not support it, or if the DNSSEC records were not properly re-signed or removed during the migration, this can cause validation failures for some resolvers.
• MX record resolution: Receiving mail servers perform a DNS lookup to find the MX record for the sender's domain. If this lookup fails due to the nameserver change (e.g., the new nameservers are not correctly configured or the old ones are unreachable), the email will be rejected.

Key considerations

• TTL management: Before changing nameservers, reduce the TTL for your MX and other relevant DNS records to a very low value (e.g., 300 seconds or 5 minutes). This ensures that DNS resolvers update their cache more frequently, minimizing the propagation delay. After the migration, you can revert to a higher TTL.
• Verify DNS records: Ensure all necessary DNS records, including A, MX, SPF, and DKIM, are accurately recreated on your new nameservers exactly as they were on the old ones. A small discrepancy can lead to problems. This can also prevent issues like SPF resolution failures.
• Monitor propagation: Use online DNS propagation checkers to monitor how your new nameservers are resolving globally. This will help you identify if certain regions or networks are still seeing old records.
• DNSSEC handling: If your domain used DNSSEC, ensure your new nameserver provider supports it, or carefully disable it at your domain registrar before the nameserver change to avoid validation errors.
• Temporary email routing: Consider a temporary email forwarding service during the transition if you anticipate significant downtime or propagation issues. This can help prevent sudden increases in DNS failure and hard bounces. Zoho Mail provides further information on configuring email delivery during transitions.

Key opinions

• Partial delivery: Marketers frequently report that emails become undeliverable to some servers but not others after a nameserver change, even if authentication records like SPF, DKIM, and DMARC remain untouched.
• Propagation is key: Many marketers identify DNS propagation delays as the core issue. New nameservers simply aren't showing up consistently across all resolvers, causing some mail servers to fail in finding the correct MX records.
• Old cache problems: A common observation is that receiving mail servers might hold onto old, cached nameserver information. If these old nameservers become unreachable, the receiving server cannot perform the necessary MX lookup, resulting in email rejection.
• DNSSEC impact: Some marketers have discovered that an unexpected cause of failure is moving to new nameservers that do not support DNSSEC, especially if the domain was previously configured for it. This can lead to validation errors.

Key considerations

• Pre-change TTL adjustments: To minimize disruption, marketers often recommend lowering TTL values on DNS records before a nameserver switch. This speeds up cache expiration and the adoption of new records.
• Full record migration: It's critical to ensure all DNS records, not just MX, are accurately transferred to the new nameservers. Missing records or misconfigurations can cause varied issues, as discussed in the impact of changing nameservers.
• DNSSEC verification: If DNSSEC was enabled, marketers suggest confirming its proper handling with the new provider or carefully disabling it to prevent authentication failures.
• Post-change monitoring: Continuous monitoring of DNS propagation and email deliverability after a nameserver switch is vital to catch and rectify issues quickly. Practical 365 offers insights on managing changes to MX records and incoming email flow.
• Anticipate delays: Be prepared for some temporary email loss or delays, as DNS changes do not instantly propagate across all systems. This is an inherent part of the DNS system.

Key opinions

• Caching discrepancies: Experts frequently note that different mail servers (and their DNS resolvers) will have varying cache expiration times, leading to inconsistent lookup results during a nameserver transition. This means some servers will see the new DNS, while others will still query old, possibly defunct, nameservers.
• Root server updates: A crucial step often missed is ensuring the domain's registration authority correctly updates the root nameserver entries. If these are not updated, the internet's backbone DNS system will continue directing queries to the old nameservers.
• DNSSEC validation errors: When a domain previously used DNSSEC, and the new nameservers either don't support it or the DNSSEC records aren't properly re-configured, receiving mail servers performing DNSSEC validation will fail to resolve the domain, leading to rejections.
• MX record dependency: Even if the MX records themselves haven't changed, their proper resolution depends entirely on the nameservers being accessible and correctly configured. If the nameservers are problematic, MX lookups fail, and emails cannot be delivered.

Key considerations

• Pre-transition TTL reduction: Experts universally advise lowering the TTL on all relevant DNS records (especially MX and A records for mail servers) several hours or days before the nameserver switch. This minimizes the period of inconsistent resolution.
• Comprehensive DNS audit: Perform a thorough audit of all existing DNS records before the migration to ensure every record is accurately replicated on the new nameservers. This includes less common records that might impact deliverability. Ensuring proper DMARC, SPF, and DKIM setup is part of this.
• Careful DNSSEC migration: For domains with DNSSEC, either ensure the new provider fully supports and correctly configures DNSSEC, or carefully remove DNSSEC from the domain registrar before switching nameservers to prevent validation errors. This step is critical to avoid low email deliverability.
• Post-migration testing: After the nameserver change, perform extensive email sending and receiving tests to various ISPs and email providers. Pay close attention to bounce messages for clues regarding DNS resolution failures. DNS Made Easy provides detailed information on the interplay between DNS and email.

Key findings

• DNS records matter: MX records are fundamental for email delivery, directing mail servers. These records must be accurately maintained, and their resolution depends on functional nameservers.
• Propagation delays: DNS changes, including nameserver updates, do not propagate instantaneously. Instead, old cached records expire based on their TTL, leading to a period of inconsistency where some systems see new data and others old.
• DNSSEC impact: If a domain is configured with DNSSEC, a nameserver change without proper DNSSEC handling can cause validation failures, rendering the domain unreachable for email from validating servers.
• Comprehensive DNS setup: All relevant DNS records (A, MX, TXT for SPF/DKIM) must be correctly recreated on the new nameservers to ensure continuous email flow.

Key considerations

• Lower TTL: Documentation often recommends reducing TTL values on DNS records before a nameserver change to minimize the caching period and accelerate propagation of new records.
• Verify all records: It's critical to ensure all necessary DNS records, including A, MX, SPF, and DKIM, are accurately transferred to the new nameservers. Missing an A record for your MX host can lead to email deliverability issues.
• DNSSEC management: If DNSSEC is in use, verify that your new nameserver provider supports it and that the DNSSEC keys and records are correctly configured or removed during the transition.
• Monitor propagation tools: Utilize public DNS propagation tools to observe the global update of your nameserver changes and ensure consistent resolution. Information on DNS propagation is available in various community forums.
• Anticipate temporary issues: Expect some temporary email disruptions or delays until DNS fully stabilizes globally, which can take up to 48 hours, or even longer for specific cached resolvers.