TXT Records: The Swiss Army Knife of DNS (2026)
TXT records are the most versatile record type in DNS. Originally designed for human-readable notes, they now power email authentication (SPF, DKIM, DMARC), domain ownership verification, and a growing list of security protocols. This guide covers everything from basic syntax to advanced use cases.
What Are TXT Records?
A TXT (Text) record is a DNS record type that stores arbitrary text data associated with a domain name. Defined in RFC 1035, TXT records were originally intended to carry human-readable information. Over time, they became the standard way to publish machine-readable data in DNS.
A domain can have multiple TXT records, each serving a different purpose. For example, a typical domain might have TXT records for SPF email authentication, Google site verification, and a DMARC policy — all coexisting at the same domain or at different subdomains.
example.com. IN TXT "v=spf1 include:_spf.google.com ~all"
example.com. IN TXT "google-site-verification=abc123..."
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"TXT Records for Email Authentication
The most critical use of TXT records is email authentication. Three major protocols rely entirely on TXT records to publish their policies:
SPF (Sender Policy Framework)
SPF uses a TXT record at the domain apex to declare which IP addresses and servers are authorized to send email on behalf of your domain. Receiving servers check this record to verify that incoming email originates from an authorized source.
example.com. IN TXT "v=spf1 ip4:203.0.113.0/24 include:_spf.google.com -all"SPF records have a critical limitation: the 10 DNS lookup limit. Each include, a, mx, and redirect mechanism triggers a DNS lookup, and exceeding 10 causes SPF to fail. Use our SPF Checker to verify your SPF record is valid and within the lookup limit. For a deep dive, read our SPF Lookup Limit Guide.
DKIM (DomainKeys Identified Mail)
DKIM publishes the public key used to verify email signatures in a TXT record at a specific subdomain. The record name follows the format [selector]._domainkey.example.com:
google._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3D..."DKIM keys can be quite long (especially 2048-bit RSA keys), which means they often exceed the 255-character string limit in TXT records. The key is split into multiple quoted strings that the DNS server concatenates. Use our DKIM Checker to verify your DKIM key is published correctly and the signature is valid.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC publishes its policy as a TXT record at the _dmarc subdomain. It tells receiving servers what to do when SPF and DKIM checks fail and where to send aggregate reports:
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensic@example.com; adkim=s; aspf=s"Verify your DMARC configuration with our DMARC Checker. For a comprehensive overview of how SPF, DKIM, and DMARC work together, see our SPF, DKIM & DMARC Explained guide.
TXT Records for Domain Verification
Many services use TXT records to verify domain ownership. When you add a domain to a service, it provides a unique verification string that you add as a TXT record. The service then queries DNS to confirm you control the domain.
Common services that use TXT-based domain verification:
- Google Search Console:
google-site-verification=... - Microsoft 365:
MS=ms12345678 - Facebook:
facebook-domain-verification=... - Apple:
apple-domain-verification=... - Stripe:
stripe-verification=... - Postmark:
postmark-verification=...
These verification records can safely coexist with your email authentication TXT records. A domain can have unlimited TXT records.
Other TXT Record Uses
- MTA-STS reporting: The
_mta-sts.example.comTXT record signals support for MTA-STS and includes a version identifier for cache busting. - SMTP TLS Reporting: The
_smtp._tls.example.comTXT record specifies where to send TLS-RPT reports about TLS connection failures. - BIMI: The
default._bimi.example.comTXT record publishes the location of your brand's logo for display in email clients. See our BIMI guide for details. - ACME DNS challenge: Let's Encrypt and other CAs use TXT records at
_acme-challenge.example.comto verify domain ownership during certificate issuance. - security.txt reference: Some organizations use TXT records to point to their security.txt file location.
TXT Record Syntax and Limitations
TXT records have specific syntax rules and limitations that catch many administrators off guard:
- 255-character string limit. A single TXT record string cannot exceed 255 characters. For longer values, the text must be split into multiple quoted strings that the DNS server concatenates automatically.
- Total record size. While individual strings are limited to 255 characters, a single TXT record can contain multiple strings totaling up to approximately 65,535 bytes (the UDP DNS message size limit). In practice, records over 4,096 bytes may cause issues with some resolvers.
- Quoting. TXT record values should be enclosed in double quotes. Some DNS providers add quotes automatically, others require you to include them. Double-quoting can lead to escaped quotes appearing in the record value.
- Character escaping. Special characters like semicolons, backslashes, and double quotes may need to be escaped depending on your DNS provider's interface.
Here is an example of a long TXT record split into multiple strings (this is how DKIM keys are typically published):
selector._domainkey.example.com. IN TXT (
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA"
"zV4nR8Dq6F3B0e0pCkGZoRfNmY7VmqKjDvPNfXvDBoPd2E..."
"xQ8kH7qQlBR3kZvNtIDAQAB" )Best Practices for Managing TXT Records
- Keep only one SPF record. Having multiple SPF TXT records at the same domain name is a configuration error that causes SPF to return
permerror. Combine all mechanisms into a single SPF record. - Document your records. Maintain a spreadsheet or documentation of what each TXT record does. Over time, domains accumulate verification records that are no longer needed.
- Audit regularly. Use our TXT Lookup tool to view all TXT records on your domain. Remove records for services you no longer use.
- Use appropriate TTLs. For email authentication records (SPF, DKIM, DMARC), a TTL of 3600 (1 hour) is standard. For domain verification records, you can use longer TTLs since they rarely change.
- Test before publishing. Always validate your TXT record syntax before adding it to DNS. A malformed SPF or DMARC record can cause email delivery failures.
How to Check Your TXT Records
Use our free tools to inspect and validate your TXT records:
- TXT Lookup — View all TXT records for any domain, including subdomains.
- SPF Checker — Validate your SPF record syntax, lookup count, and authorized senders.
- DKIM Checker — Verify your DKIM public key is correctly published and functional.
- DMARC Checker — Validate your DMARC policy, alignment settings, and reporting configuration.