DNS problems are rarely dramatic. Nobody calls you because a TXT record is missing — they call because "email is going to spam" or "the www site is down" or "our new tool says domain verification failed," and the actual cause turns out to be one DNS record that was never set, or never updated after a migration. This is the reference list to work through when you need to confirm a client's DNS is actually correct, not just "the site loads."
Run the domain through DNS Lookup first, then check what comes back against this list.
A / AAAA records
What they're for: point the domain at the actual server IP address — A for IPv4, AAAA for IPv6.
What wrong looks like: the record points at a host that isn't where the site is actually running anymore — the classic sign of a migration that never fully cut over. If the client says they moved hosting providers "a while ago" and you see an IP that doesn't match the new host, that's your finding.
MX records
What they're for: tell the world which mail servers handle email for this domain.
What wrong looks like: MX records still pointing at an old email provider after a switch to a new one (Google Workspace and Microsoft 365 migrations are the usual suspects) — mail quietly misrouting or bouncing while nobody's watching. Also worth flagging: no MX record at all, which isn't automatically wrong (see the FAQ below) but is always worth confirming.
TXT records (SPF at minimum)
What they're for: SPF authorizes which mail servers are allowed to send email as this domain — it's an anti-spoofing and deliverability record. Other TXT records typically handle domain-ownership verification for services like Google Workspace, Microsoft 365, or marketing tools.
What wrong looks like: no SPF record at all, which tends to land legitimate mail (from a CRM, a marketing platform, an invoicing tool) in spam instead of the inbox. Also common: an SPF record that's missing one of the services actually sending mail on the client's behalf — usually because a new tool got added after the SPF record was last touched, and nobody remembered to update it.
CNAME records (www, mail, and other common subdomains)
What they're for: alias one hostname to another — most commonly www pointing at the bare domain, or a subdomain pointing at a hosted service (a help desk, a marketing landing page tool, etc.).
What wrong looks like: www.clientdomain.com not resolving at all while the bare domain works fine — a surprisingly common gap that's easy to miss if you only ever test the bare domain. Also watch for a CNAME still pointing at a service the client stopped using months ago.
NS records
What they're for: identify which nameservers are actually authoritative for the domain — in other words, who really controls DNS for this client, regardless of who they think controls it.
What wrong looks like: nameservers that don't match the DNS provider or registrar the client believes they're using. This almost always means an old provider from before a migration that never got fully retired — and it means any DNS change you make in the "current" provider's dashboard might not actually be the one taking effect.
Bookmark this page — it's built to be the reference you pull up any time you need to sanity-check a client's DNS, not just something you read once.