What is an SOA record? (Start of Authority, explained)

The one-sentence version

An SOA (Start of Authority) record is the housekeeping record at the top of every DNS zone. There is exactly one, it sits at the apex alongside your NS records, and it carries the metadata that keeps your nameservers in sync and tells resolvers how long to remember things.

What an SOA record looks like

It packs more fields than any other record: a primary nameserver, an admin email, a serial number, and four timers.

example.com.  3600  IN  SOA  ns1.dnsprovider.net. admin.example.com. (
                            2026062301  ; serial
                            7200        ; refresh
                            3600        ; retry
                            1209600     ; expire
                            3600 )      ; minimum (negative-cache TTL)

• MNAME (ns1.dnsprovider.net) names the primary source of the zone. It is informational; your nameserver list is the NS records, not this field.
• RNAME (admin.example.com) is the zone admin's email, with the first dot standing in for the @ (so this means admin@example.com).
• SERIAL is the version number of the zone.
• REFRESH / RETRY / EXPIRE tell secondary nameservers how often to check for updates, how soon to retry a failed check, and how long to keep answering if they cannot reach the primary at all.
• MINIMUM is the one that bites, and it is not what its name suggests.

The serial number, and why a change did not take everywhere

Most domains have several nameservers. They stay in sync by comparing serial numbers: when the primary's serial goes up, the secondaries pull the new copy. So the rule is simple, and breaking it is a classic outage:

• Bump the serial on every change. If you edit the zone but forget to raise the serial, the secondaries see no change and keep serving the old zone. Your edit is live on one server and invisible on the others.
• It only goes up. Comparison uses wrap-around serial-number arithmetic, not a plain integer compare, so a serial that jumps backward (or by a huge amount) can stall transfers. The common 2026062301 date-plus-counter format is a convention, not a rule: any scheme that always increases works.

In practice your DNS host bumps the serial for you on every save, and most providers now push changes to their own nameservers within seconds rather than waiting on the refresh timer. You only meet the serial when you run your own nameservers or transfer a zone by hand.

The minimum field is really the negative-cache timer

Here is the field worth understanding, because it explains a question every admin asks. The SOA minimum originally meant a default TTL for the whole zone. RFC 2308 redefined it: today it is the negative-cache TTL, how long resolvers are allowed to remember that a name or record does not exist.

That is the real answer to “I published my DMARC record, why does it still say not found?” If any resolver looked up _dmarc.example.com before you created it, it received a “no such name” answer (an NXDOMAIN), and it caches that negative for the lesser of the SOA minimum and the SOA record's own TTL. Until that timer expires, the resolver keeps insisting your brand-new record is not there, even though it is live at your nameservers.

A sensible minimum is short, often an hour or less; values over a day are known to cause exactly this confusion. We walk through the whole “not live yet” problem in DNS propagation and TTL.

Do you ever edit it?

Almost never by hand. Your DNS provider creates the SOA, manages the serial, and sets sane timers. The reason to understand it is diagnostic: when a new SPF, DKIM, or DMARC record reads as missing for a while after you publish it, the SOA minimum is usually why, and the fix is to wait it out, not to republish in a panic.

Common questions

Why does my new DMARC record still say not found?

Because a resolver that checked the name before you published it cached the “does not exist” answer, and that negative cache lasts as long as the SOA minimum (capped by the SOA's own TTL). Wait for it to expire, then re-check. Querying your authoritative nameserver directly bypasses the cached negative.

What is the SOA serial number for?

It is the zone's version number. Secondary nameservers compare it to decide when to pull an updated copy, so it must increase on every change. Your DNS host normally manages it automatically.

Do I need to edit my SOA record?

Rarely. Managed DNS providers handle the SOA for you. It matters mainly as an explanation: the minimum field is why a freshly published record can look missing for a little while.