. newtonlabs dns

Docs

Everything you need to run authoritative DNS, transactional mail, and observability from one dashboard. Concise, specific, and kept current with the actual product.

Getting started.

#Sign in

Visit dns.newtonlabs.ke/app and sign up with your email. You'll receive a one-time verification link. Click it and you're in the dashboard.

TOTP and passkey login are both supported once your account is provisioned, from Account → Security.

#Add your first zone

From the Zones tab, click Add zone and enter your apex (e.g. example.com). The system auto-creates a SOA record and two NS records pointing at our nameservers. The zone is live the moment it's saved.

#Point your domain

At your registrar (Namecheap, Cloudflare Registrar, Porkbun, etc.), update your domain's nameservers to: 

ns1.newtonlabs.ke
ns2.newtonlabs.ke

Propagation typically takes 1–48 hours depending on the registrar's TTL. The dashboard Zones → [zone] → Status view shows when the world starts asking us for your records.

DNS

#Record types

Supported types: A, AAAA, CNAME, MX, NS, TXT, SOA, SRV, CAA, PTR, NAPTR. Records are added per-zone from Zones → [zone] → Records, or via the API (see below).

#DNSSEC

Each zone can be DNSSEC-signed with one click. We generate the ZSK and KSK, sign the zone, and surface the DS record you need to publish at your registrar. Re-signing happens automatically on every record change.

Note: the DS record only takes effect once your registrar publishes it in the parent zone. Until then, validating resolvers will treat your zone as unsigned.

#Zone transfers

TSIG-signed AXFR / IXFR is supported for replicating to a secondary nameserver. Generate a TSIG key per peer from Zones → [zone] → Transfers; share the key with your secondary; allow its IP. We log every transfer attempt.

#GeoIP routing

A single record name can return different answers based on the querier's location. Useful for steering EU traffic to an EU endpoint, or sending Africa traffic to your Nairobi POP.

#Blocklists

Per-zone blocklists let you NXDOMAIN specific names — useful for parental controls on a household zone, or malware-domain filtering for a recursive-resolver deployment. Import a list, or add entries one at a time.

Mail

#DKIM

DKIM keys are generated per-zone and published to that same zone as a TXT record. Because SPF, DKIM, and DMARC live in the same zone you're already editing, they stay in sync on purpose, not by accident.

#Sending mail

Outbound mail is submitted via SMTP (port 587 with STARTTLS), or via the API. Every send queues, retries on transient failure, and records its delivery attempt in the audit log.

#Templates

The HTML template editor has a live preview and supports variable interpolation ({{ name }}) filled at send time. Templates are versioned; the editor shows a diff against the previously-shipped version.

#Inbox

Every domain you own gets an inbox accessible via IMAP (143 or 993 with TLS) and via the dashboard. Per-mailbox passwords are managed from Mail → Mailboxes.

API

#Authentication

All /api/* endpoints require a Bearer token. Tokens are issued from Account → API Keys with one of three scopes: 

curl -H "Authorization: Bearer $TOKEN" \
  https://dns.newtonlabs.ke/api/zones

#Zones

GET /api/zones lists all zones you can see. POST /api/zones creates a zone (body: { "name": "example.com" }).

#Records

Records are namespaced under their zone: 

GET    /api/zones/{name}/records
POST   /api/zones/{name}/records
PUT    /api/zones/{name}/records/{id}
DELETE /api/zones/{name}/records/{id}

#Public resolver

Anonymous, no-auth-required recursive lookup endpoint. Useful for debugging, dashboards, and integration tests. Rate-limited to 30 requests per minute per IP; refuses internal / private names to prevent SSRF. 

curl "https://dns.newtonlabs.ke/api/public/resolve?name=cloudflare.com&type=A"