Skip to content

Default Records

getlocalcert initializes your subdomain with several default DNS records. These are helpful to ensure that the getlocalcert service works well for private networks. Many of these cannot be modified.

A records

Subdomains of are configured with an A record set to This record cannot be modified as is designed for localhost use only.

However, you may use split view DNS to set your own A records internal to your network.

Email records

Private domains cannot be send or receive email. To prevent spam, several email related DNS records have been set and cannot be modified.


Sender policy framework (SPF) indicates which servers are authorized to send email. getlocalcert sets a null SPF record, indicating that no servers are authorized senders.


DomainKeys Identified Mail (DKIM) uses digital signatures to authenticate email. getlocalcert sets a null DKIM record, indicating that there is no valid signing key.


Domain-based Message Authentication Reporting and Conformance (DMARC) specifies a policy for authenticating email. getlocalcert sets a DMARC record that indicates that any email failing the SPF or DKIM check should be rejected. Paired with the null SPF and null DKIM policy, any modern mail server will reject any spoofed email for managed domains.


The MX record indicates the server used to receive email for a domain. getlocalcert sets a null MX record, indicating that managed subdomains cannot receive email.

NS records

NS records indicate which DNS server is authoritative for a domain. The getlocalcert DNS server is authoritative for all managed subdomains. NS records cannot be modified.

SOA records

The SOA (start of authority) record contains technical information used to manage the subdomain. This record cannot be modified.