DNS TXT record

What is a DNS TXT record?

A Domain Name System (DNS) TXT record is a type of DNS resource record that stores text information defined by the domain administrator. Because it can hold text, it is commonly used to publish both human-readable notes and machine-readable data, such as verification tokens and configuration settings.

How does a DNS TXT record work?

A DNS TXT record is added to a domain’s DNS settings. When a service needs the information, it queries the DNS for the TXT record associated with the domain or a specific subdomain. The DNS response returns the text value, and the requesting service reads and validates the content according to its own rules. TXT record values may be stored as one or more strings, depending on the DNS provider and record length. How a DNS TXT record works.

Why is a DNS TXT record important?

A DNS TXT record enables a domain owner to publish text that external systems can retrieve via DNS. This provides a way to share public information or instructions without operating a separate service.

Where is a DNS TXT record used?

DNS TXT records support a variety of use cases, most notably email authentication. Three common protocols depend on them:

Sender Policy Framework (SPF): Lists the mail servers authorized to send email from a domain.
DomainKeys Identified Mail (DKIM): Publishes a public key used to verify a domain’s email signature and check that signed parts of a message weren't changed after signing.
Domain‑based Message Authentication, Reporting and Conformance (DMARC): Defines how receivers should handle messages that fail DMARC checks, based on SPF or DKIM results and domain alignment.

Beyond email, TXT records are also used for domain ownership verification, such as by certificate authorities or cloud platforms, and for storing application-specific configuration data.

Risks and privacy concerns

Misconfiguration: Conflicting or multiple TXT records, such as multiple SPF records for the same domain, can cause authentication errors and disrupt legitimate email delivery.
Exposed data: DNS records are publicly visible. Placing sensitive information, such as API keys or internal identifiers, in TXT records may expose them to attackers.
Weak policies: Lenient email authentication settings, such as an SPF record with +all, can authorize any sender and allow spoofed messages to pass SPF validation.
Stale entries: Outdated records left in place can cause inconsistent behavior, including verification failures or reliance on deprecated configuration details.

FAQ

What is a DNS TXT record used for?

A TXT record stores text for a domain and is commonly used for domain verification and email authentication protocols, which publish authorized senders, public keys, and handling policies.

Is a Domain Name System (DNS) TXT record the same as SPF?

No. Sender Policy Framework (SPF) is an email authentication protocol that uses a TXT record to publish a list of permitted mail sources. A TXT record can carry many other types of data beyond SPF.

Can a domain have multiple TXT records?

Yes. A domain may publish multiple TXT records for separate purposes. However, only one Sender Policy Framework (SPF) policy should be present for the same domain or subdomain; multiple SPF records are not permitted and can cause SPF validation errors.

Are DNS TXT records public?

Yes, the Domain Name System (DNS) is a public hierarchical database, so any TXT record published in a domain can be queried by anyone.

How do TXT records help prevent phishing?

TXT records help reduce phishing by supporting email authentication protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). These records help email receivers check whether a message is authorized and decide whether to accept, quarantine, or reject messages that fail authentication and alignment checks.