DNS Record Cleanup Guide
Over time, DNS zones collect unused records from old services, cancelled hosting, and forgotten test subdomains. Cleaning them up reduces security risks and makes your DNS easier to manage.
Quick Answer
To clean up DNS records: export your current zone, identify every record's purpose, check if the target IP or hostname is still active, remove records that point to dead resources, and verify changes with a DNS propagation checker. Pay special attention to CNAME records pointing to cancelled cloud services, as these can be exploited for subdomain takeover attacks. Always lower the TTL before deleting so you can recover quickly if something breaks.
Why DNS Cleanup Matters
Most domain owners add DNS records but rarely remove them. You sign up for a service, add a CNAME or TXT record for verification, then cancel the service months later. The DNS record stays. Over years, your zone file fills up with records that point to servers that no longer exist, IP addresses you no longer own, and verification tokens for services you no longer use.
This is not just about keeping things tidy. Unused records create real security risks.
| Risk | What Can Happen |
|---|---|
| Subdomain takeover | A CNAME pointing to a cancelled cloud service (Heroku, Azure, S3 bucket) can be claimed by an attacker who registers that resource |
| Email spoofing | Old MX records pointing to a decommissioned mail server can be registered by attackers to receive your email |
| Loose SPF records | An SPF record that still authorizes a service you no longer use gives that service (or whoever takes it over) permission to send email as your domain |
| Confusion during troubleshooting | When DNS issues arise, a cluttered zone makes it harder to find the problem. Old records can conflict with new ones in unexpected ways |
How to Audit Your DNS Records
Export your current zone
Log in to your DNS provider (Cloudflare, Namecheap, GoDaddy, Route 53) and export or screenshot all records. You need a complete list of every A, AAAA, CNAME, MX, TXT, SRV, and NS record in your zone.
Document each record's purpose
Go through every record and write down what it does. If you cannot explain why a record exists, flag it for investigation. Common records you might not recognize include old domain verification TXT records, CNAME records for cancelled SaaS services, and A records for test subdomains.
Check if targets are still live
For each record, verify that the target IP or hostname still responds. Use dig or nslookup to check A records, or simply try loading the subdomain in a browser. If the target returns a 404, a hosting provider's default page, or does not respond at all, the record is likely stale.
Check your SPF record
Look at the services authorized in your SPF TXT record. If you see include: entries for email services you no longer use (old CRM, marketing tool, or hosting provider), remove them. Every authorized sender that you don't control is a potential email spoofing vector.
Look for dangling CNAMEs
CNAME records pointing to cloud services you cancelled are the highest-priority items. If blog.yourdomain.com points to a Heroku or Netlify hostname that no longer exists, an attacker can claim that hostname and serve content on your subdomain.
How to Safely Remove Records
Deleting DNS records is permanent on most providers. There is no undo button. Follow this process to avoid breaking anything.
Back up your zone first
Export your DNS zone or take a screenshot of all records before making changes. If something goes wrong, you need to know exactly what to recreate.
Lower the TTL before deleting
Change the record's TTL to 300 seconds (5 minutes) and wait 24 hours. This ensures that if you delete the record and need to bring it back, the restored record propagates within minutes instead of hours.
Delete one record at a time
If you delete multiple records at once and something breaks, you will not know which deletion caused the issue. Remove one record, wait, verify nothing is broken, then move to the next.
Verify after each deletion
After removing a record, check that your website, email, and subdomains still work. Use a DNS propagation checker to confirm the record is gone from global DNS servers.
Never delete these records unless you know exactly what you are doing: your domain's NS records (they control who manages your DNS), your primary A record (your website), your MX records (your email), and your SOA record (zone metadata).
Common Records That Need Cleanup
| Record Type | Common Stale Examples | Action |
|---|---|---|
| TXT | Old domain verification tokens (Google, Microsoft, Mailchimp, HubSpot) | Delete if verification is complete and service is active, or if you cancelled the service |
| CNAME | Subdomains pointing to cancelled cloud apps (Heroku, Netlify, Shopify, old CDN) | Delete immediately, these are subdomain takeover risks |
| A | Test subdomains, old server IPs, staging environments | Delete if the IP no longer belongs to you |
| MX | Old email provider entries after migrating to a new provider | Delete old entries, keep only your current provider's MX records |
| SPF (TXT) | include: entries for services you no longer use | Remove the unused include: from your SPF record |
| DKIM (CNAME/TXT) | DKIM keys for email services you migrated away from | Delete old DKIM records, keep only your current provider's keys |
DNS Cleanup Checklist
Export or screenshot your current DNS zone
List every record and document its purpose
Check all CNAME records for dangling targets (subdomain takeover risk)
Review SPF record and remove unused include: entries
Remove old domain verification TXT records
Delete A records pointing to IPs you no longer own
Remove old MX and DKIM records from previous email providers
Verify all remaining records resolve correctly using a propagation checker
Set a calendar reminder to repeat this audit in 3 to 6 months
Verify Your DNS Records
After cleaning up your DNS, verify that all remaining records are resolving correctly across 21 global DNS servers.