Understanding DNS TXT Records
DNS TXT records store arbitrary text data with multiple purposes: email authentication, domain ownership verification, service configuration, and security policies. Despite their generic name, TXT records are some of the most important DNS records for modern infrastructure.
Primary Uses of TXT Records
1. SPF Records (Sender Policy Framework)
Purpose: Specifies which mail servers can send email for your domain
Format:
example.com TXT "v=spf1 include:_spf.google.com ~all"
Components:
v=spf1: SPF versioninclude:: Include another domain's SPF recordip4:: Specific IPv4 address allowedip6:: Specific IPv6 address allowed~all: Soft fail (accept if SPF fails)-all: Hard fail (reject if SPF fails)
Examples:
# Google Workspace
v=spf1 include:_spf.google.com ~all
# Office 365
v=spf1 include:outlook.com ~all
# SendGrid
v=spf1 include:sendgrid.net ~all
# Multiple services
v=spf1 include:_spf.google.com include:sendgrid.net include:example.com ~all
Importance:
- Prevents domain spoofing
- Improves email deliverability
- Required for DMARC compliance
- Part of email authentication trio (SPF, DKIM, DMARC)
2. DKIM Records (DomainKeys Identified Mail)
Purpose: Cryptographic signature for email authentication
Format:
selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=[PUBLIC_KEY]"
Components:
v=DKIM1: DKIM versionk=rsa: Key type (RSA)p=: Public key (very long)
Full Example:
selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."
Importance:
- Proves message came from your domain
- Prevents message tampering
- Required for DMARC compliance
- Widely supported by email providers
3. DMARC Records (Domain-based Message Authentication, Reporting, and Conformance)
Purpose: Email authentication policy and reporting
Format:
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"
Components:
v=DMARC1: DMARC versionp=none/quarantine/reject: Policyrua=: Aggregate report destinationruf=: Forensic report destinationfo=: Forensic report optionspct=: Percentage of messages subject to policyadkim=: DKIM alignment (strict/relaxed)aspf=: SPF alignment (strict/relaxed)
Full Example:
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; adkim=s; aspf=s"
Importance:
- Prevents business email compromise
- Protects brand from spoofing
- Provides insight into mail authentication
- Enables subdomain protection
Domain Verification Uses
4. Domain Ownership Verification
Many services require proving domain ownership:
Google Search Console:
example.com TXT "google-site-verification=abcdefghijklmnopqrstuvwxyz123456"
Microsoft/Office 365:
example.com TXT "MS=ms12345678"
Acme/Let's Encrypt SSL:
_acme-challenge.example.com TXT "verification-token"
Facebook:
example.com TXT "facebook-domain-verification=..."
Stripe:
example.com TXT "stripe-verification=..."
Process:
- Service provides verification string
- You add as TXT record
- Service verifies TXT record exists
- Ownership confirmed
5. Email Provider Verification
Services need to verify domain ownership:
Mailchimp:
example.com TXT "mailchimp-verification=..."
HubSpot:
example.com TXT "hubspot-verification=..."
SendGrid:
example.com TXT "sendgrid-domain-verification=..."
Advanced Authentication Records
6. BIMI Records (Brand Indicator for Message Identification)
Purpose: Display company logo in email clients
Format:
default._bimi.example.com TXT "v=BIMI1; l=https://example.com/logo.svg"
Requirements:
- DMARC policy set to p=reject
- Valid SVG logo
- Logo must be under 32KB
- HTTPS-hosted logo
Benefit: Brand protection and recognition in email
7. DANE Records (DNS-based Authentication of Named Entities)
Purpose: Enhanced TLS certificate verification
Format:
_25._tcp.example.com TLSA 3 1 1 [certificate_hash]
_443._tcp.example.com TLSA 3 1 1 [certificate_hash]
Benefits:
- Certificate pinning via DNS
- Protection against rogue CAs
- Enhanced security for email and HTTPS
Service Configuration Records
8. Service Discovery
Purpose: Locate specific services
Format:
_service._protocol.example.com TXT "key1=value1 key2=value2"
Examples:
Autodiscover (Exchange):
_autodiscover._tcp.example.com TXT "product=Exchange"
SIP (VoIP):
_sip._tls.example.com TXT "version=1"
CalDAV/CardDAV:
example.com TXT ".well-known/carddavserver"
Security and Policy Records
9. CAA Policy (Certificate Authority Authorization)
While CAA is technically a different record type, often stored alongside TXT:
example.com CAA 0 issue "letsencrypt.org"
example.com CAA 0 issuewild "letsencrypt.org"
Purpose: Control who can issue SSL certificates
10. TLSRPT Records (TLS Report)
Purpose: Report TLS failures for email
Format:
_tlsrpt.example.com TXT "v=TLSRPTv1; rua=mailto:[email protected]"
DNS TXT Record Best Practices
Managing Multiple TXT Records
Single Record (Preferred):
example.com TXT "v=spf1 include:_spf.google.com ~all"
example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"
Multiple records with same name are allowed and common.
Record Length Limits
TXT records are limited to 255 characters per string, but multiple strings possible:
example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3..." "...CONTINUED..."
DNS tools automatically split long records.
Organization Tips
- Document all TXT records and their purposes
- Maintain version control of TXT record changes
- Test before deployment (especially email records)
- Monitor for changes by others
- Keep records organized with comments in DNS provider
Viewing TXT Records
Command Line
# View TXT records
dig example.com TXT
# View specific subdomain
dig _dmarc.example.com TXT
# View all records
dig example.com ANY
# Pretty print
dig example.com TXT +short
Online Tools
- Inventive HQ DNS Lookup Tool
- MXToolbox TXT Record Checker
- Google Public DNS (dns.google)
- Online DNS query tools
Common TXT Record Issues
Issue 1: Character Limit Exceeded
Problem: SPF record with too many includes:
v=spf1 include:service1.com include:service2.com include:service3.com include:service4.com include:service5.com include:service6.com include:service7.com include:service8.com include:service9.com include:service10.com ~all
# Exceeds DNS limit!
Solution: Use SPF flattening or consolidation
# Create intermediate SPF record
_spf.example.com TXT "v=spf1 include:service1.com include:service2.com ~all"
example.com TXT "v=spf1 include:_spf.example.com ~all"
Issue 2: DKIM Key Too Long
Problem: Very long DKIM public key won't fit in one TXT record
Solution: DNS provider handles splitting automatically, but verify it's stored correctly
dig selector._domainkey.example.com TXT
# Should show complete key
Issue 3: Conflicting Records
Problem: Multiple verification records from different services
Solution: Multiple TXT records allowed; add all needed records
example.com TXT "v=spf1 ..."
example.com TXT "v=DMARC1; ..."
example.com TXT "google-site-verification=..."
example.com TXT "microsoft-domain-verification=..."
# All can coexist
Complete TXT Record Setup Example
Comprehensive email security setup:
# SPF (email authentication)
example.com TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
# DKIM (message signing)
selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=[PUBLIC_KEY]"
# DMARC (policy enforcement)
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"
# Domain verification (Google)
example.com TXT "google-site-verification=abcd1234"
# BIMI (logo display)
default._bimi.example.com TXT "v=BIMI1; l=https://example.com/logo.svg"
Conclusion
DNS TXT records serve diverse purposes from email authentication to domain verification. Understanding these uses enables you to:
- Implement robust email security (SPF, DKIM, DMARC)
- Verify domain ownership for multiple services
- Configure service discovery
- Implement advanced security features (BIMI, DANE)
- Troubleshoot email and service issues
Proper TXT record configuration is foundational to modern email security and domain management. Whether you're implementing email authentication or verifying domain ownership, TXT records are the tool for the job.
