DNS changes to make at GoDaddy (queued, fires when login lands)

The moment Jim shares the GoDaddy login, run these in order. Total time at the registrar: about 15 minutes. No client involvement needed.

Round 1 — immediate (run within 30 min of getting access)

1. Audit before changing anything

dig +short A bensontheatre.org
dig +short MX bensontheatre.org
dig +short TXT bensontheatre.org
dig +short NS bensontheatre.org

Save the output as a snapshot in case we need to revert. Drop into BLOCKERS.md cleared section with timestamp.

2. Add SPF record

Add as TXT record at root (@):

v=spf1 include:_spf.google.com ~all

Why: every email from bensontheatre.org is currently unauthenticated. SPF tells receiving mail servers that Google Workspace is the legitimate sender. Without it, newsletters and form notifications spam-filter.

If we add SendGrid for transactional email, update later to:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

3. Drop the stale Microsoft 365 verification token

Remove the TXT record MS=ms29607555. Leftover from a Microsoft 365 setup that never went anywhere; the live system is Google Workspace.

4. Add Google domain verification token (if rolling fresh GA4 / GSC)

Per Phase 1 of analytics setup: when we add the new GA4 + Google Search Console, Google will hand us a TXT verification record. Add that here.

Format usually: google-site-verification=<token>

Round 2 — Workspace recovery (24-48 hr after Round 1)

5. DKIM record

Once Workspace super admin is recovered (separate flow): - In admin.google.com, generate the DKIM key under Apps → Google Workspace → Gmail → Authenticate email - Publish the public key as TXT at: google._domainkey.bensontheatre.org

After publishing, return to admin.google.com and click "Start authentication." Google verifies and turns on DKIM signing.

6. Tighten DMARC

Current DMARC is v=DMARC1; p=none; (monitor only). After SPF + DKIM are observing for a few days with no legitimate email being marked spam, tighten:

v=DMARC1; p=quarantine; rua=mailto:dmarc@bensontheatre.org

Then later (~30 days observed clean):

v=DMARC1; p=reject; rua=mailto:dmarc@bensontheatre.org

Round 3 — DNS cutover at launch (the big one)

Run 24-48 hours before flipping DNS:

7. Drop A record TTL

Lower the TTL on the existing A record from default (usually 1 hour) to 300 seconds. This means once we flip the IP, the change propagates within 5 minutes instead of an hour.

8. Confirm SSL is provisioned at the new host

Don't flip DNS until the new host has issued SSL for bensontheatre.org. Check with Flywheel or Kinsta dashboard before swap.

9. Swap A record IP

Change the A record from 151.101.66.159 (Fastly / Shape Society's Flywheel) to the new host's IP.

10. Monitor

Watch DNS propagation:

dig +short A bensontheatre.org
# repeat every 5 min for the first hour

Verify the site loads from the new host. Verify SSL is valid. Verify email is still receiving (test send to admin@bensontheatre.org).

11. After 24-48 hours stable

Bump TTL back up to 3600 (1 hour) or 86400 (24 hours).

What does NOT change

These records stay exactly as they are during cutover:

If something goes wrong

Every change above is reversible. Keep the Round 1 dig output as a snapshot. Worst case, paste old values back into GoDaddy DNS panel.

Flywheel and Kinsta both keep snapshots — if the new host has an issue, we can revert the A record while we troubleshoot. The old Shape Society install is still running on the old IP unless someone shuts it down, so reverting just resumes service from there.