DNS TXT Record

What is a TXT Record?

A DNS TXT record (Text record) allows domain administrators to store arbitrary text data in the DNS. Originally intended for human-readable notes, TXT records have evolved into a critical component of email authentication, domain verification, and security policies. They are one of the most versatile and widely used DNS record types.

The most common use of TXT records is for email authentication: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) all store their policies as TXT records. Additionally, services like Google, Microsoft, and various SaaS platforms use TXT records for domain ownership verification — you prove you own a domain by adding a specific TXT record to your DNS.

TXT records can hold up to 255 characters per string, but a single TXT record can contain multiple strings that are concatenated together, allowing for longer values. A domain can also have multiple TXT records, each serving a different purpose. However, having too many TXT records can increase DNS response size and potentially cause issues with UDP-based queries exceeding the 512-byte limit.

Syntax & Examples

The syntax of a DNS TXT record contains quoted text data:

example.com.    3600    IN    TXT    "v=spf1 include:_spf.google.com ~all"
example.com.    3600    IN    TXT    "google-site-verification=abc123def456"

For longer values that exceed 255 characters (common with DKIM keys), the text is split into multiple quoted strings within a single record:

selector._domainkey.example.com.    3600    IN    TXT    "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB" "AQUAA4GNADCBiQKBgQC...long_key..."

How to Query TXT Records

To query TXT records using dig, run: dig example.com TXT. For concise output: dig +short example.com TXT. To query for specific TXT records like SPF or domain verification, you may need to check the root domain and specific subdomains: dig _dmarc.example.com TXT for DMARC, or dig selector._domainkey.example.com TXT for DKIM.

With nslookup, use: nslookup -type=TXT example.com. On Windows PowerShell: Resolve-DnsName -Name example.com -Type TXT. Since domains often have multiple TXT records for different purposes (SPF, domain verification, etc.), the output may contain several entries. When troubleshooting email issues, always check TXT records at both the root domain and relevant subdomains.

Related Record Types

Frequently Asked Questions

What is a DNS TXT record?

A DNS TXT record stores text-based information associated with a domain. While originally designed for human-readable notes, TXT records are now primarily used for email authentication (SPF, DKIM, DMARC), domain ownership verification, and various security policies.

What is the maximum length of a TXT record?

A single TXT string can be up to 255 characters. However, a TXT record can contain multiple strings that are concatenated together, effectively allowing longer values. The overall DNS response must fit within the UDP packet size limits, though EDNS0 and TCP fallback allow for larger responses.

How many TXT records can a domain have?

There is no hard limit on the number of TXT records a domain can have. However, having many TXT records increases DNS response size, which can cause performance issues or query failures. It's best practice to keep TXT records to a minimum and consolidate where possible (e.g., one SPF record instead of multiple).

What is the difference between TXT and SPF records?

The SPF record type (type 99) was deprecated in RFC 7208 in favor of storing SPF data in TXT records. Modern SPF policies should always be published as TXT records starting with 'v=spf1'. While the SPF record type still technically exists, most mail servers only check TXT records for SPF information.

How do I verify domain ownership with a TXT record?

Services like Google, Microsoft, and others provide a unique verification string (e.g., 'google-site-verification=abc123'). Add this as a TXT record at your domain's root in your DNS management panel. The service then queries your DNS to confirm the record exists, proving you control the domain.