What are TXT records?

What they are#

A TXT record is a DNS record type that holds arbitrary text data, originally intended for human-readable notes but now used overwhelmingly for machine-readable authentication and verification. TXT records have become one of the most functionally important record types in modern DNS because they serve as the delivery mechanism for SPF, DKIM, and DMARC, the three pillars of email authentication.

SPF (Sender Policy Framework)#

An SPF record is published as a TXT record at the domain's apex and declares which IP addresses and mail servers are authorized to send email for that domain. A typical SPF record looks like:

v=spf1 include:_spf.google.com include:amazonses.com -all

The include mechanism references other domains' SPF records, ip4/ip6 authorize specific addresses, and the -all suffix tells receivers to reject mail from unauthorized sources. SPF has a 10-DNS-lookup limit per evaluation, and overly complex records can cause legitimate mail to fail validation.

DKIM (DomainKeys Identified Mail)#

DKIM uses public-key cryptography to sign outgoing email headers and body. The public key is published as a TXT record at a specific subdomain: selector._domainkey.example.com. A receiving server retrieves the public key via DNS and uses it to verify the DKIM signature attached to the message. If the signature validates, the receiver has reasonable assurance that the message was sent by an authorized system and was not modified in transit.

Selectors allow domains to use multiple signing keys simultaneously, for example, different keys for different email providers or key rotation without disrupting delivery.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)#

A DMARC policy is published as a TXT record at _dmarc.example.com and tells receivers how to handle messages that fail SPF and DKIM checks. Policies range from p=none (monitor only) through p=quarantine (send to spam) to p=reject (drop the message). DMARC also specifies where aggregate and forensic reports should be sent, providing domain owners with visibility into who is sending email using their domain.

v=DMARC1; p=reject; rua=mailto:[email protected];

Domain ownership verification#

Cloud platforms and SaaS services commonly use TXT records to verify domain ownership. Google Workspace, Microsoft 365, Facebook, and others ask domain owners to publish a specific TXT record (e.g., google-site-verification=...) as proof that they control the domain's DNS. This verification model is widespread because TXT records can be created without disrupting any existing services.

ACME and certificate challenges#

Let's Encrypt and other ACME-based certificate authorities support a DNS-01 challenge method where the domain owner publishes a specific TXT record at _acme-challenge.example.com to prove control of the domain before a TLS certificate is issued. This method is particularly useful for issuing wildcard certificates, which require DNS validation.

Security considerations#

TXT records are publicly queryable, and their contents can reveal useful intelligence to both defenders and attackers:

• Email infrastructure fingerprinting. SPF records disclose which email providers and sending services a domain uses
• Verification token exposure. Leftover verification TXT records from decommissioned services may be exploitable if the service allows re-verification
• Record size limits. A single TXT record string is limited to 255 bytes, though multiple strings can be concatenated. Exceeding practical limits can cause truncation and protocol issues
• Enumeration. Querying TXT records across a domain's subdomains can reveal internal service usage, vendor relationships, and infrastructure details

A related but separate record type, CAA (Certificate Authority Authorization), controls which CAs may issue certificates for a domain. Though not a TXT record, it serves a similar declarative-policy function in DNS and is covered in the DNS records explained reference.