TXT Record
A DNS TXT (text) record allows domain administrators to insert any text into the DNS. Originally created to add human-readable notes, TXT records are now primarily used for email authentication protocols (SPF, DKIM, DMARC), domain ownership verification, and various other machine-readable configurations. TXT records can contain any text data up to 255 characters per string, with multiple strings allowed.
How it works
TXT records store plain-text data associated with a domain. While they can technically contain any text, they follow specific formats for different purposes. Email authentication protocols use TXT records to tell email servers who's authorized to send mail from a domain, how to validate messages, and what to do if authentication fails. Service providers also use TXT records to verify domain ownership.
TXT records serve multiple critical functions in modern DNS:
**Email Authentication - SPF (Sender Policy Framework):**
SPF records list IP addresses and servers authorized to send email from your domain. When someone receives email claiming to be from your domain, their mail server checks your SPF record. If the sender's IP matches the authorized list, it passes SPF authentication; otherwise, it's flagged as potentially fraudulent.
Example SPF record:
v=spf1 include:_spf.google.com ~all
**Email Authentication - DKIM (DomainKeys Identified Mail):**
DKIM uses cryptographic signatures to verify email authenticity. Your mail server signs outgoing emails with a private key, and publishes the corresponding public key in a TXT record. Receiving servers use this public key to verify the signature, ensuring the email hasn't been tampered with and came from an authorized source.
Example DKIM record at selector._domainkey.example.com: v=DKIM1; k=rsa; p=MIGfMA0GC...
**Email Authentication - DMARC (Domain-based Message Authentication):**
DMARC builds on SPF and DKIM by telling receiving servers what to do with emails that fail authentication. You can specify whether to quarantine, reject, or deliver suspicious emails, and request reports on authentication results.
Example DMARC record at _dmarc.example.com: v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
**Domain Verification:**
Services like Google, Microsoft, or SSL certificate authorities often require you to add a unique TXT record to prove domain ownership. This verification prevents unauthorized parties from claiming your domain on their platforms.Key Points
- TXT records can contain any text data, but follow specific formats for different purposes
- Primarily used for email authentication (SPF, DKIM, DMARC) to prevent spoofing and phishing
- Essential for domain ownership verification with third-party services
- Each string in a TXT record is limited to 255 characters, but multiple strings can be concatenated
- Multiple TXT records can exist for the same domain, each serving different purposes
Common Use Cases
- SPF Email Authentication: Specify which mail servers are authorized to send email from your domain, preventing spammers from spoofing your domain in email headers
- DKIM Email Signing: Publish public keys used to verify cryptographic signatures on your emails, ensuring message integrity and authenticity
- DMARC Policy Enforcement: Define how receiving servers should handle emails that fail SPF or DKIM checks, with options to monitor, quarantine, or reject
- Domain Ownership Verification: Prove domain ownership to services like Google Workspace, Microsoft 365, or SSL certificate authorities by adding their unique verification codes
- Site Verification and Configuration: Configure various services including site verification for search engines, security policies, or integration with third-party platforms
code Example TXT Record Configuration
| Type | Host / Name | Value / Points to | TTL |
|---|---|---|---|
| TXT | @ | v=spf1 include:_spf.google.com ~all | 3600 |
| TXT | _dmarc | v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com | 3600 |
| TXT | selector._domainkey | v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA... | 3600 |
| TXT | @ | google-site-verification=abc123xyz456 | 3600 |
* TXT records use specific formats for different purposes. Multiple TXT records can coexist for the same domain.
Frequently Asked Questions
What is the difference between SPF, DKIM, and DMARC?expand_more
SPF specifies which IP addresses/servers can send email from your domain. DKIM uses cryptographic signatures to verify email hasn't been tampered with and came from an authorized source. DMARC ties SPF and DKIM together, telling receiving servers what to do when emails fail authentication (reject, quarantine, or deliver) and provides reporting. All three are implemented using TXT records and work together to prevent email spoofing and phishing.
Can I have multiple TXT records for the same domain?expand_more
Yes, you can have multiple TXT records for the same hostname, and this is very common. For example, you might have separate TXT records for SPF, domain verification, and site configuration. DNS resolvers will return all TXT records associated with a hostname. However, you should only have one SPF record per hostname - if you need to authorize multiple mail servers, include them all in a single SPF record.
Do I need TXT records if I don't send email?expand_more
Even if you don't send email, it's recommended to add an SPF record with a restrictive policy like
v=spf1 -all to explicitly state that no servers are authorized to send email from your domain. This prevents spammers from spoofing your domain. You might also need TXT records for domain verification with services like Google Search Console, SSL certificate authorities, or other platforms, even if you're not using email.What happens if my SPF/DKIM/DMARC records are misconfigured?expand_more
Misconfigured email authentication records can cause legitimate emails to be rejected or marked as spam. Common issues include: SPF records that don't include all your mail servers, expired or missing DKIM keys, or overly strict DMARC policies (p=reject) before testing. Start with a permissive DMARC policy (p=none) to monitor results, fix any SPF/DKIM issues identified in reports, then gradually move to p=quarantine and eventually p=reject once everything is working correctly.
How do I verify my TXT records are set up correctly?expand_more
You can check TXT records using online DNS lookup tools or command-line utilities like
dig TXT example.com or nslookup -type=TXT example.com. For email authentication specifically, use dedicated validators like Google's Toolbox Messageheader analyzer, MXToolbox, or dmarcian's tools. These will not only show your records but also validate their syntax and configuration, highlighting potential issues.