TXT Record - Verifications and Metadata

Store textual information in your DNS for validation and security.

The TXT (Text Record) allows storing arbitrary textual information in your DNS. Originally designed for human-readable notes, it has become a key element of email security (SPF, DKIM, DMARC) and domain ownership verification.

When you configure a new service (Google Workspace, AWS, SSL certificate), you're often asked to add a TXT record to prove you control the domain. This has become the standard domain ownership verification mechanism on the Internet.

TXT records are also critical for email deliverability. Without properly configured SPF, DKIM, and DMARC via TXT records, your emails risk being marked as spam or rejected.

What is a TXT Record?

The TXT record stores text in DNS:

  • Free format: A TXT can contain any text up to 255 characters per string. For longer content, multiple strings are concatenated.
  • Multiple uses: The same domain can have multiple TXT records for different uses (SPF, verifications, etc.). They coexist without conflict.
  • Machine reading: Although it's text, TXTs are read and interpreted by automated systems: email servers, certificate authorities, SaaS services.
  • Standard propagation: TXTs propagate like other records, according to their TTL. Some verifications fail if propagation is incomplete.

Main TXT Uses

TXT records serve several critical purposes:

  • SPF (email): Defines which servers are authorized to send emails for your domain. Protects against email identity spoofing.
  • DKIM (email): Publishes the public key to verify cryptographic signatures of your emails. Proves the email hasn't been modified.
  • DMARC (email): Defines the policy to apply to emails that fail SPF/DKIM. Reports on spoofing attempts.
  • Domain verification: Google, Microsoft, AWS and others use TXT to verify you control a domain before activating their services.

How to Create a TXT Record

Follow these steps to add a TXT:

  1. Get the value: The service you're configuring gives you the exact TXT value to add. Copy it precisely, character by character.
  2. Identify the name: The TXT can be for the root domain (@) or a specific subdomain (_dmarc, selector._domainkey, etc.).
  3. Create the record: Add a TXT record in your DNS manager. Enter the exact name and value.
  4. Verify: Use dig TXT example.com or the service's verifier to confirm the record is correct and propagated.

TXT Record Examples

Here are common TXT examples:

; SPF - Authorize Gmail and your servers
example.com. IN TXT "v=spf1 include:_spf.google.com ip4:192.0.2.1 -all"

; DKIM - Public key for signing
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

; DMARC - Policy and reports
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]"

; Google verification
example.com. IN TXT "google-site-verification=abc123..."

; Microsoft 365 verification
example.com. IN TXT "MS=ms12345678"

; Verification with dig
$ dig example.com TXT +short
"v=spf1 include:_spf.google.com -all"
"google-site-verification=abc123..."

TXT values are in quotes. A domain can have multiple TXTs for different uses. The v= prefix indicates the version/type (spf1, DKIM1, DMARC1).

TXT Best Practices

Effectively manage your TXT records:

  • Copy exactly: A character error can fail a verification or break SPF/DKIM. Copy-paste, don't retype.
  • Clean up old ones: Remove TXT records for services you no longer use. Keep your DNS clean.
  • Document: Note what each TXT is for. In 6 months, you won't remember why that cryptic TXT is there.
  • Monitor SPF/DKIM/DMARC: Use MoniTao to monitor these critical TXTs. An unauthorized change can ruin your email deliverability.

TXT Records Checklist

  • SPF configured and valid
  • DKIM enabled with published key
  • DMARC configured with appropriate policy
  • Domain verifications completed and confirmed
  • Obsolete TXTs cleaned up
  • Critical TXT monitoring enabled

Frequently Asked Questions - TXT Records

Can I have multiple TXT records?

Yes, unlike CNAMEs, multiple TXTs can coexist at the same level. It's common to have SPF, DMARC, and several domain verifications simultaneously.

What is the maximum length of a TXT?

Each string is limited to 255 characters, but you can have multiple concatenated strings. The total limit depends on the DNS server but is generally several KB.

Why does my TXT verification fail?

Common causes: incomplete DNS propagation (wait 24-48h), copy error in value, misplaced quotes in DNS manager, or wrong level (@ vs subdomain).

Should I keep verification TXTs after activation?

Some services verify periodically (keep the TXT). Others verify only once (you can delete). Check the service documentation.

How to debug an SPF/DKIM problem?

Use tools like MXToolbox SPF/DKIM checker, or analyze headers of rejected emails. They usually indicate the reason for authentication failure.

Do TXTs impact performance?

No, TXTs are not queried during normal web browsing. They are read by email servers and verification services occasionally.

Master Your TXT Records

TXT records have become essential for email security and domain ownership verification. SPF, DKIM, and DMARC protect your email reputation and your users against phishing and spoofing.

Configure your TXTs correctly, document them, and monitor them with MoniTao. An unauthorized change to your SPF or DKIM records can have disastrous consequences on your email deliverability.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing