A DNS TXT record (Text record) stores arbitrary human-readable or machine-readable text within a DNS zone. Originally designed for informational annotations, TXT records have evolved into the Swiss Army knife of DNS — today they carry email authentication policies, domain ownership proofs, and security configurations that are critical to the modern web.
What Is a TXT Record?
A TXT record stores one or more text strings associated with a domain name. Unlike A or MX records, TXT records have no defined structure — the content can be anything from a plain sentence to a structured policy string. DNS clients and services that query TXT records parse the content themselves according to whatever specification they implement.
TXT records are queried the same way as any other DNS record type: a client sends a query specifying the type TXT and a domain name, and the authoritative nameserver responds with all TXT records published at that name.
TXT Record Syntax
; TXT record syntax
; NAME TTL CLASS TYPE "text content"
example.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all"
; Domain verification TXT record (Google Search Console example)
example.com. 3600 IN TXT "google-site-verification=abc123xyz"
; DMARC policy record (published at _dmarc subdomain)
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"The text content is enclosed in double quotes in zone file format. The content itself can include any printable ASCII characters. Quotes within the content must be escaped.
TXT Record Length Limits
A single DNS string in a TXT record is limited to 255 characters. However, a TXT record can contain multiple strings concatenated together, and the total size of a TXT record is bounded only by the maximum DNS message size (traditionally 512 bytes over UDP, or larger with EDNS0 and DNS over TCP).
For records that exceed 255 characters (such as DKIM public keys), the content is split into multiple quoted strings within the same TXT record. Resolvers concatenate them:
; DKIM record split into multiple strings (each ≤255 chars)
selector._domainkey.example.com. 3600 IN TXT
"v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2a2rwplBQLzHPZe5T"
"pBnPADJBs9Z5Rk9pBNjKDVpLfCJOEBynQgqFGXIBkLKJMRDMSdOhXtPFQR"Common Uses of TXT Records
SPF (Sender Policy Framework)
SPF is an email authentication mechanism stored as a TXT record at the root domain. It specifies which mail servers are authorized to send email on behalf of your domain. Receiving mail servers query the SPF record to verify that incoming messages originate from an authorized source.
; SPF TXT record
example.com. 3600 IN TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
; Common SPF mechanisms:
; include:domain — authorize another domain's SPF servers
; ip4:x.x.x.x — authorize a specific IPv4 address or range
; ~all — softfail (flag but don't reject) unlisted senders
; -all — hardfail (reject) unlisted sendersDKIM (DomainKeys Identified Mail)
DKIM stores a public key as a TXT record at a selector subdomain. Mail servers use this public key to verify the cryptographic signature added to outgoing emails by your mail provider's private key. This proves the email was sent by an authorized server and has not been modified in transit.
; DKIM public key TXT record
; Published at: selector._domainkey.example.com
google._domainkey.example.com. 3600 IN TXT
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5N3lnvvrY"DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC is published as a TXT record at _dmarc.yourdomain.com. It instructs receiving mail servers what to do when SPF or DKIM checks fail, and it enables aggregate and forensic reporting so domain owners can monitor authentication failures and abuse attempts.
; DMARC policy TXT record
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensics@example.com; pct=100"
; p=none — monitor only, no enforcement
; p=quarantine — deliver to spam folder
; p=reject — reject the message entirelyDomain Ownership Verification
Google Search Console, Microsoft 365, SSL certificate authorities, and many SaaS platforms verify domain ownership by asking you to publish a specific TXT record. The verification service then queries DNS, finds the expected string, and confirms you control the domain.
; Domain verification examples
example.com. 3600 IN TXT "google-site-verification=U8bJxxxxxxxxxxxxxxxxxxx"
example.com. 3600 IN TXT "MS=ms12345678"
example.com. 3600 IN TXT "adobe-sign-verification=xxxxxxxxxxxxxxxxxxxxxxxx"Multiple TXT Records
A single domain can carry multiple TXT records at the same name. This is normal and expected — most production domains have at least three or four TXT records at the root: an SPF record, one or more verification tokens, and possibly others. Each TXT record is a separate entry in the zone.
v=spf1) per domain name. If multiple SPF records exist, mail servers will produce a "PermError" and may treat all email from your domain as unauthorized. Combine all SPF mechanisms into a single record.How to Check TXT Records
Use the ShowDNS TXT Lookup tool to view all TXT records for any domain. The tool queries the authoritative nameservers and returns the complete content of every TXT record, including SPF, DKIM selectors, DMARC policies, and verification tokens. You can also use the general DNS Lookup tool and select TXT as the record type.
; Query all TXT records with dig
dig example.com TXT
;; ANSWER SECTION:
example.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all"
example.com. 3600 IN TXT "google-site-verification=abc123xyz"
; Query DMARC record
dig _dmarc.example.com TXT
; Query DKIM record (replace 'google' with your selector)
dig google._domainkey.example.com TXTFrequently Asked Questions
Can TXT records affect my website or email?
TXT records themselves do not affect routing — they contain no address information. However, their content is read and acted upon by external services. An incorrect SPF record can cause legitimate email to be rejected. A wrong DMARC policy can cause email to be quarantined. A missing verification token can prevent a service from confirming domain ownership. TXT records have real operational consequences even though they are purely informational in format.
How do I add multiple SPF senders to one record?
Add each sender using the include: mechanism in a single SPF TXT record. For example:"v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com ~all". Do not create separate TXT records for each sender — that would create multiple SPF records, which causes a PermError. Note that SPF has a limit of 10 DNS lookups per evaluation, so very largeinclude chains may need consolidation.
What is a DKIM selector?
A DKIM selector is a label that identifies which public key to use for signature verification. Email providers can rotate keys by using different selectors. The selector is included in the email's DKIM-Signature header, and the receiving server uses it to construct the DNS query: selector._domainkey.yourdomain.com. Common selectors are named "google", "mail", "s1", or "default".
How long should TXT record TTLs be?
For stable records like SPF and DMARC policies, a TTL of 3600 (1 hour) to 86400 (24 hours) is appropriate. For verification tokens that you plan to add and remove during an onboarding process, a shorter TTL of 300–600 seconds helps the records appear and disappear more quickly. DKIM keys can use longer TTLs since they change infrequently.
Can I use TXT records for custom data?
Yes — TXT records were originally designed for exactly this kind of free-form annotation. You can store any text you like, and it will be publicly visible to anyone who queries DNS. Some organizations use TXT records to publish contact information, abuse reporting addresses, or internal metadata. Just be aware that TXT record content is public and visible to anyone on the internet.