DNS records_
Learn how DNS zones work for organization domains in Appwrite, including record types and locked entries.
3 min read
When a domain is verified with Appwrite nameservers, Appwrite hosts the authoritative DNS zone for that domain. The zone contains all records for that domain and is managed under Organization > Domains.
This applies to Appwrite-registered domains and external domains alike.
For platform-wide DNS behavior (apex domains, CNAME flattening, TLS), see Appwrite DNS service.
Zones and verification
A verified domain uses Appwrite nameservers (ns1.appwrite.zone and ns2.appwrite.zone). The Records tab on the domain shows the full zone Appwrite serves.
Until verification completes, treat DNS changes in Appwrite as preparatory only. Product connections that require a verified zone should wait until status shows Verified.
Record types
Appwrite supports the following record types on organization domains:
| Type | Purpose |
|---|---|
| A | IPv4 address |
| AAAA | IPv6 address |
| CNAME | Alias to another hostname |
| MX | Mail servers |
| TXT | Text verification, SPF, DKIM, and similar |
| NS | Nameserver delegation within the zone |
| SRV | Service location |
| CAA | Certificate authority authorization |
| HTTPS | HTTPS service binding (SVCB/HTTPS) |
| ALIAS | Apex-friendly alias (similar to CNAME at root) |
Locked records
When you add a domain, Appwrite creates records required for network integration (routing, TLS, and nameserver glue). Locked records:
- Cannot be edited or deleted from the Console.
- Ensure Sites, Functions, and API custom domains can attach safely.
Add your own records alongside locked entries. Appwrite prevents conflicts with locked names when you save.
TTL and propagation
Each record has a TTL (time to live) that controls how long resolvers cache the answer. Lower TTL values speed up changes during migrations but increase query volume. After stable configuration, many teams use 3600 seconds (1 hour) or higher for static records.
Record changes on Appwrite DNS typically propagate faster than registrar nameserver changes, but resolvers worldwide may cache old values until TTL expires.
Product connections
Organization DNS is authoritative for the zone. When you attach a hostname on a Site, Function, or project API, Appwrite may add locked CNAME (or related) records in this zone automatically.
Product settings still control routing behavior (for example Sites domain rule types). Subdomains usually need a CNAME to appwrite.network (Sites/Functions) or the API target from project settings; apex domains use nameserver delegation or CNAME flattening.
See Connect to products for step-by-step apex and subdomain setup across all products.
For inbound email, use DNS presets to add provider MX records without entering each value manually.
Was this page helpful?
Share what worked or what we should fix. Once approved, our agents automatically apply suggested updates to the docs.