A DNS TXT record allows you to add text information and notes to a domain DNS configuration.
What is a DNS TXT record?
A TXT record, short for "text" (Descriptive Text), allows you to add text information intended for external sources, both human and/or machine.
It allows you to store notes within the record and about a domain DNS configuration.
A domain can have multiple TXT records.
These records are often used for email security, spam prevention, and for verifying and validating domain ownership.
The "value" field of a TXT record only accepts text and strings. This can be any text associated with a domain. Generally, DNS servers impose a limit on the size of TXT records and the number of characters they can store. More information is available here (RFC 1035).
Example of a TXT record:
| example.com | Record Type | Value | TTL |
|---|---|---|---|
| @ | TXT | This domain is great! 5 stars | 33200 |
What type of data can be added to a TXT record?
RFC 1035 states that the "value" field of a TXT record accepts only text and "strings." This can be any text associated with a domain.
Generally, DNS servers impose a limit on the size of TXT records and the number of characters they can store (often 255 characters).
How are TXT records used for email security and spam prevention?
Hackers and spammers often try to impersonate a domain and falsify the email addresses and/or domains from which they send spam. TXT records are a key component of several email authentication methods (see below) that help authenticate emails and allow a mail server to determine whether a message is legitimate and originates from a trusted and authorized source (server) for the domain in question.
Common email authentication methods include Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). Implementing and properly configuring these security records allows domain administrators to prevent spoofing of their email and domains and to track potential spoofing attempts.
SPF Record: An SPF (TXT) record lists all servers authorized to send emails from a domain.
DKIM Record: DKIM works by digitally signing each email using a public-private key pair. This verifies that the email is legitimate and originates from the domain it claims to be from and the associated server. The public key is stored in a TXT record associated with the domain. The corresponding private key resides on the mail server (learn more about public-key encryption).
DMARC Record: DMARC is an email authentication, email policy, and email reporting protocol designed to enhance internet security and communication. Implementing a DMARC record requires prior implementation of SPF and DKIM records. A DMARC (TXT) record references the domain SPF and DKIM policies. The record "value" corresponds to the domain DMARC policy, which defines the email authentication policy and the handling of emails that are not aligned with or violate the SPF and DKIM guidelines (you can find a guide to creating a DMARC policy here).
How do TXT records allow you to verify domain ownership?
Many tools, applications, and services connected to your domain now require you to validate and prove ownership of a domain name to function. For example, email services require a specific DNS configuration.
By adding a TXT record containing a value and information specific to your domain DNS configuration, you can prove that you manage and control the domain, and therefore own it. The tool, application, or service provider can then query your domain DNS zone and verify the presence (or sometimes the modification) of the requested TXT record. This procedure is similar to confirming an email address, which involves receiving a verification email and clicking a link sent to the email address to verify ownership.