← DNS RecordsRecord Type / Text

TXT Record

Stores arbitrary human-readable or machine-readable text in DNS. The workhorse of email authentication, domain verification, and policy publication.

Overview

The DNS Swiss Army Knife

TXT records were originally designed for human-readable text associated with a hostname (RFC 1035). Over time, they became the standard mechanism for publishing machine-readable policy data — because any operator with DNS access can publish a TXT record without needing a new record type to be implemented by all DNS software.

TXT record values are one or more quoted strings up to 255 characters each. For longer data (like long DKIM public keys), multiple strings within the same record are concatenated by the resolver. Multiple TXT records on the same name are valid — and required in some cases (e.g., multiple DKIM selectors).

  • Each quoted string: max 255 bytes of content
  • Multiple strings in one record are concatenated: "part1" "part2"
  • Multiple TXT records on the same name are all returned
  • Only one SPF record allowed per name — multiple v=spf1 records = permerror
  • DKIM selectors each get their own subdomain, so multiple DKIM TXT records don't conflict
; Syntax ; Name [TTL] IN TXT "value" ; SPF (at apex) @ IN TXT "v=spf1 include:_spf.google.com ~all" ; DKIM (at selector subdomain) google._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQ..." ; DMARC (at _dmarc subdomain) _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com" ; Domain verification @ IN TXT "google-site-verification=abc123xyz" @ IN TXT "MS=ms12345678" ; Microsoft 365 ; Long value split across strings @ IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgk" "qhkiG9w0BAQEFAAOCAQ8AMIIBCgKC" "AQEA..." ; concatenated by resolver
Common Uses

What TXT Records Are Used For

SPF

Authorizes which servers may send email for the domain. Published at the zone apex.

"v=spf1 include:_spf.google.com ~all"
DKIM

Public key for verifying DKIM email signatures. Published at selector._domainkey.domain.

"v=DKIM1; k=rsa; p=MIIBIjAN..."
DMARC

Email authentication policy and reporting. Published at _dmarc.domain.

"v=DMARC1; p=reject; rua=mailto:..."
Domain Verification

Proves domain ownership to Google, Microsoft, GitHub, and other services.

"google-site-verification=abc123"
BIMI

Brand Indicators for Message Identification — attaches a logo to authenticated email.

"v=BIMI1; l=https://example.com/logo.svg"
MTA-STS

Mail Transfer Agent Strict Transport Security — enforces TLS for inbound email delivery.

"v=STSv1; id=20240101000000Z"
Diagnostics

Querying TXT Records

Look up all TXT records

# All TXT records at apex dig thedns.guru TXT +short # DMARC record dig _dmarc.thedns.guru TXT +short # DKIM selector dig google._domainkey.thedns.guru TXT +short # MTA-STS version dig _mta-sts.thedns.guru TXT +short

Filter SPF from TXT records

# Show only SPF record dig thedns.guru TXT +short | grep spf # Validate SPF syntax and lookup count # (online: mxtoolbox.com/spf.aspx) # Check for multiple SPF records # (invalid — causes permerror) dig thedns.guru TXT +short | grep -c spf

Related Topics

SPF

SPF policy is published as a TXT record listing authorized sending mail servers.

DKIM

DKIM public keys are published as TXT records under _domainkey subdomains.

DMARC

DMARC policy lives in a TXT record at _dmarc.yourdomain.