DNS Launch Checklist: MX Records, Domain Locks, and Zone Transfer Tests

Domain configuration problems tend to appear at the worst possible time: right after a website launch, email migration, registrar transfer, or DNS provider change. A small DNS mistake can break email delivery, expose records that should not be public, or leave a valuable domain more vulnerable than necessary.

This launch checklist focuses on three checks that are easy to run and easy to overlook: MX records, domain lock status, and DNS zone transfer exposure. Together they give a practical view of whether the domain is ready for production traffic.

Check MX records before email users notice

MX records tell mail servers where to deliver email for a domain. If the records are missing, duplicated incorrectly, pointed at retired hosts, or assigned the wrong priority, mail can fail or route inconsistently. Use the MX Record Checker to confirm every mail exchanger, priority value, and host target before a DNS cutover.

For migrations, compare old and new MX results while TTLs are still low. If a domain uses Google Workspace, Microsoft 365, or another managed mail platform, verify the provider’s required records exactly. Also check SPF, DKIM, and DMARC after the MX records are correct, because mail routing and authentication work together.

Confirm the domain lock is enabled

A registrar lock prevents unauthorized or accidental domain transfers. It does not replace account security, but it is an important layer for any domain that carries traffic, email, brand value, or ad revenue. Use the Domain Lock Checker to inspect the status codes returned for the domain.

Status values such as clientTransferProhibited are generally expected for a locked production domain. If the lock is disabled outside a planned transfer window, treat it as a configuration issue and review registrar access, account recovery settings, and two-factor authentication.

Test for open zone transfers

DNS zone transfers are intended for synchronization between authorized name servers. When exposed publicly, they can reveal subdomains, internal hostnames, mail infrastructure, and service records. That information can be useful to attackers and competitors, and it is rarely something a public website needs to expose.

Run the domain through the Zone Transfer Tester and verify that unauthorized AXFR requests are denied. If a name server allows public transfers, restrict transfers to approved secondary DNS servers only.

Production DNS checklist

• Confirm authoritative name servers match the DNS provider you intend to use.
• Check MX targets and priority values with the MX checker.
• Verify registrar transfer lock status with the domain lock checker.
• Run a zone transfer test against authoritative name servers.
• Review TTL values before and after migrations.
• Check related records such as SPF, DKIM, DMARC, CAA, and DNSSEC where applicable.

When to run the checklist

Run these checks before a launch, before moving email providers, after changing registrars, after changing DNS hosting, and after any incident involving account access. The checks are quick, but they protect systems that users notice immediately when something breaks.