Zone Apex
The root of a domain’s DNS zone, where records like SPF, DKIM, and DMARC are defined. Learn how it affects authentication and mail flow.
What Is a Zone Apex?
The Zone Apex (sometimes called the root domain) is the highest level of a domain’s DNS zone, i.e., the point at which all DNS records for that domain are defined.
For example, in the domain example.com, the Zone Apex refers to example.com itself, not a subdomain like mail.example.com.
It’s where critical DNS records such as A, MX, TXT, and NS are managed, including entries that control email authentication and routing.
How the Zone Apex Works in DNS
Every domain has a DNS “zone,” which is the authoritative database of records that tell other systems how to interact with that domain. The Zone Apex is the top of that zone (the central record authority).
Typical records stored at the Zone Apex include:
- A or AAAA records – Point the domain to an IP address.
- MX records – Specify mail servers for email delivery.
- TXT records – Contain SPF, DKIM, and DMARC information.
- NS records – Define which nameservers are authoritative for the domain.
Because many DNS providers restrict what record types can be added at the apex (for instance, traditional CNAME records aren’t allowed there), administrators often use alternatives like ALIAS or ANAME records to achieve similar functionality.
The Zone Apex in Email Authentication
The Zone Apex plays a crucial role in email authentication, since this is usually where you publish your SPF, DKIM, and DMARC TXT records.
A DMARC record, for example, is typically published at:
_dmarc.example.com
which sits directly under the Zone Apex.
Any subdomains, like marketing.example.com, can inherit authentication policies from the root unless they have their own DNS zone and policy definitions. This hierarchical relationship ensures consistent authentication coverage across your domain ecosystem.
Zone Apex and DMARCeye
DMARCeye helps organizations verify that DNS-based authentication records at the Zone Apex are published correctly and functioning as intended.
By parsing and analyzing DMARC aggregate reports, DMARCeye reveals whether SPF, DKIM, and DMARC records at the root domain are being recognized and applied consistently across mail flows.
This insight helps administrators detect missing or misconfigured records at the apex, preventing authentication failures and improving both security and deliverability.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.