What Is a TXT Record
Learn what TXT records are and how they're used for domain verification, SPF, DKIM, and DMARC. Includes examples for the DNScale dashboard and API.
A TXT (Text) record stores arbitrary text data in DNS. While originally designed for human-readable notes, TXT records are now essential for domain verification, email authentication (SPF, DKIM, DMARC), and various security protocols.
How TXT Records Work
TXT records contain free-form text, typically enclosed in quotes:
example.com. 3600 TXT "v=spf1 include:_spf.google.com ~all"Multiple TXT records can exist for the same name, and a single TXT record can contain multiple strings that are concatenated.
Common Use Cases
Domain Verification
Prove domain ownership to third-party services:
# Google Search Console
example.com. 3600 TXT "google-site-verification=abc123..."
# Microsoft 365
example.com. 3600 TXT "MS=ms12345678"
# Let's Encrypt (DNS-01 challenge)
_acme-challenge.example.com. 300 TXT "gfj9Xq...token..."SPF (Sender Policy Framework)
Specify which servers can send email for your domain:
# Allow Google Workspace to send
example.com. 3600 TXT "v=spf1 include:_spf.google.com ~all"
# Allow your own mail server
example.com. 3600 TXT "v=spf1 mx a:mail.example.com -all"
# Multiple includes
example.com. 3600 TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"DKIM (DomainKeys Identified Mail)
Publish public keys for email signing:
google._domainkey.example.com. 3600 TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."
selector1._domainkey.example.com. 3600 TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."DMARC (Domain-based Message Authentication)
Define policy for emails that fail SPF/DKIM:
_dmarc.example.com. 3600 TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
# Strict policy
_dmarc.example.com. 3600 TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com"Security Policies
BIMI (Brand Indicators for Message Identification):
default._bimi.example.com. 3600 TXT "v=BIMI1; l=https://example.com/logo.svg"MTA-STS (Mail Transfer Agent Strict Transport Security):
_mta-sts.example.com. 3600 TXT "v=STSv1; id=20231107"Custom Application Data
Store any text data needed by your applications:
example.com. 3600 TXT "facebook-domain-verification=abc123"
example.com. 3600 TXT "stripe-verification=xyz789"Record Format
| Field | Description | Example |
|---|---|---|
| Name | Domain or subdomain | @, _dmarc, selector._domainkey |
| Type | Record type | TXT |
| Content | Text value (quoted) | "v=spf1 mx -all" |
| TTL | Time to live (seconds) | 3600 |
Long TXT Records
TXT records over 255 characters must be split into multiple strings:
example.com. 3600 TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A" "MIIBCgKCAQEA..."DNScale handles this automatically when you enter long values.
Adding a TXT Record
Using the Dashboard
- Navigate to your zone in the DNScale dashboard
- Click Add Record
- Configure the record:
- Name: Enter the subdomain or
@for apex - Type: Select
TXT - Value: Enter the text content (quotes optional)
- TTL: Set the cache duration (default: 3600)
- Name: Enter the subdomain or
- Click Create Record
Using the API
Create an SPF record:
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "@",
"type": "TXT",
"content": "v=spf1 include:_spf.google.com ~all",
"ttl": 3600
}'Create a DMARC record:
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "_dmarc",
"type": "TXT",
"content": "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com",
"ttl": 3600
}'Create a domain verification record:
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "@",
"type": "TXT",
"content": "google-site-verification=abc123xyz...",
"ttl": 3600
}'API Response:
{
"status": "success",
"data": {
"message": "Record created successfully",
"record": {
"id": "encoded-record-id",
"name": "example.com.",
"type": "TXT",
"content": "\"v=spf1 include:_spf.google.com ~all\"",
"ttl": 3600,
"disabled": false
}
}
}Email Authentication Setup Guide
Complete email authentication with SPF, DKIM, and DMARC:
Step 1: Add SPF Record
example.com. 3600 TXT "v=spf1 include:_spf.google.com ~all"Step 2: Add DKIM Record
google._domainkey.example.com. 3600 TXT "v=DKIM1; k=rsa; p=..."Step 3: Add DMARC Record
_dmarc.example.com. 3600 TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"Step 4: Monitor and Tighten
- Start with
p=noneto monitor - Move to
p=quarantineafter reviewing reports - Finally use
p=rejectfor full protection
Best Practices
-
Only one SPF record - Multiple SPF records cause delivery issues; combine into one
-
Use proper DMARC progression - Start with
p=none, thenp=quarantine, thenp=reject -
Keep verification records - Don't delete verification TXT records after initial setup
-
Quote special characters - Ensure quotes around values with spaces or special characters
-
Low TTL for challenges - Use short TTL (300s) for ACME/Let's Encrypt challenges
Testing TXT Records
Verify your TXT records with dig:
# Check all TXT records
dig TXT example.com
# Check SPF specifically
dig TXT example.com +short
# Check DMARC
dig TXT _dmarc.example.com
# Check DKIM
dig TXT google._domainkey.example.comOnline tools for email authentication testing:
- MXToolbox
- DMARC Analyzer
- Mail-Tester
Related Record Types
- MX - Mail server configuration
- CAA - Certificate authority restrictions
- TLSA - DANE certificate authentication
Conclusion
TXT records are versatile workhorses of modern DNS, essential for email security, domain verification, and custom application needs. Proper configuration of SPF, DKIM, and DMARC records is critical for email deliverability and security. DNScale makes it easy to manage all your TXT records from a single interface.