Easy DNS TXT Record Lookup How-To

A dns txt lookup retrieves DNS Text (TXT) records associated with a domain. These records store human-readable text information for various purposes. Security engineers use TXT records for domain ownership verification, email authentication, and publishing security policies. This technique helps validate domain control and identify potential misconfigurations or malicious activity.

dns txt lookup: Step-by-Step Usage

You can perform a dns txt lookup using standard command-line tools available on most operating systems. These tools query DNS servers directly. The output shows all TXT records for the specified domain.

Using dig

The dig command is a flexible tool for querying DNS name servers. Specify the domain and record type "TXT".

dig secably.com TXT +short

This command requests TXT records for secably.com. The +short option cleans up the output, showing only the record data.

"v=spf1 include:_spf.secably.com ~all"
"google-site-verification=some_verification_string"
"some_other_txt_record_data"

Remove +short for a more verbose output, including server information and query details.

dig secably.com TXT

; <<>> DiG 9.16.1 <<>> secably.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;secably.com.                   IN      TXT

;; ANSWER SECTION:
secably.com.            300     IN      TXT     "v=spf1 include:_spf.secably.com ~all"
secably.com.            300     IN      TXT     "google-site-verification=some_verification_string"
secably.com.            300     IN      TXT     "some_other_txt_record_data"

;; Query time: 12 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jan 01 12:00:00 UTC 2026
;; MSG SIZE  rcvd: 200

You can also specify a particular DNS server for the query. This helps when troubleshooting propagation issues or checking specific server responses.

dig @8.8.8.8 secably.com TXT +short

Using nslookup

nslookup is another common command-line utility for querying DNS. It offers an interactive mode and a non-interactive mode.

For non-interactive use, specify the record type and domain.

nslookup -type=TXT secably.com

Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
secably.com     text = "v=spf1 include:_spf.secably.com ~all"
secably.com     text = "google-site-verification=some_verification_string"
secably.com     text = "some_other_txt_record_data"

To use interactive mode, type nslookup, then set the type and query the domain.

nslookup
> set type=TXT
> secably.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
secably.com     text = "v=spf1 include:_spf.secably.com ~all"
secably.com     text = "google-site-verification=some_verification_string"
secably.com     text = "some_other_txt_record_data"
> exit

Using host

The host command provides a simpler interface for DNS lookups. It defaults to an informative output format.

host -t TXT secably.com

secably.com descriptive text "v=spf1 include:_spf.secably.com ~all"
secably.com descriptive text "google-site-verification=some_verification_string"
secably.com descriptive text "some_other_txt_record_data"

Using Secably's Online DNS Lookup Tool

For quick checks without the command line, Secably offers a free DNS lookup tool. Navigate to the tool, enter the domain name, and select "TXT" as the record type. The tool performs the lookup and displays the results in a user-friendly format. This is useful for team members without direct command-line access or for rapid verification. The online tool provides similar information to a dig query, including TTL and record content, often with additional context or explanations for common record types like SPF or DMARC.

Common Use Cases for dns txt lookup

TXT records play a critical role in various security and operational functions. Understanding these use cases helps practitioners identify and address potential vulnerabilities or misconfigurations.

Email Authentication (SPF, DKIM, DMARC)

Email authentication protocols heavily rely on TXT records to prevent spoofing and phishing. SPF, DKIM, and DMARC records are essential for validating legitimate email senders.

• Sender Policy Framework (SPF): An SPF record specifies which mail servers are authorized to send email on behalf of a domain. This prevents spammers from sending emails that appear to originate from your domain.

dig secably.com TXT +short | grep spf

"v=spf1 include:_spf.secably.com ~all"

This SPF record indicates that only mail servers listed in _spf.secably.com are authorized. The ~all mechanism means "softfail" for unauthorized senders.

• DomainKeys Identified Mail (DKIM): DKIM adds a digital signature to outgoing emails, allowing recipients to verify that the email was not altered in transit and came from the claimed domain. DKIM records are usually found under a selector subdomain, like s1._domainkey.example.com.

dig s1._domainkey.secably.com TXT +short

"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDz..."

The p= tag contains the public key used to verify the email signature. Regularly checking DKIM records ensures proper email authentication. Secably's blog post DKIM Key Checker: Ensure Email Authentication (Updated 2026) provides further details on validating these records.

• Domain-based Message Authentication, Reporting, and Conformance (DMARC): DMARC builds upon SPF and DKIM, providing instructions to receiving mail servers on how to handle emails that fail authentication (e.g., quarantine, reject). It also enables reporting on email authentication failures.

dig _dmarc.secably.com TXT +short

"v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"

This DMARC policy tells receivers to quarantine emails failing authentication. It also sends aggregate reports to [email protected] and forensic reports to [email protected].

Domain Ownership Verification

Many services, such as Google Workspace, Microsoft 365, and various website hosting platforms, require domain ownership verification. They often provide a unique string to add as a TXT record. Performing a dns txt lookup confirms the record's presence and correct value.

dig secably.com TXT +short | grep google-site-verification

"google-site-verification=some_verification_string"

This confirms the domain is verified with Google. Security teams verify these records when onboarding new services or troubleshooting access issues.

MTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS helps ensure that email traffic between mail servers uses secure TLS connections. It prevents downgrade attacks or man-in-the-middle attacks. MTA-STS uses a TXT record to announce the policy's existence and location.

dig _mta-sts.secably.com TXT +short

"v=STSv1; id=20260101000000"

The id tag is a policy identifier, typically a timestamp. Receivers fetch the actual policy from a well-known URL after seeing this TXT record. Regular checks ensure this policy remains active and updated.

Other Security Policies and Information

Organizations can use TXT records to publish other security-related information. This includes PGP keys for security contacts, security policy URLs, or even custom internal verification strings.

dig security.secably.com TXT +short

"security_contact_pgp=0xDEADBEEF"
"security_policy_url=https://secably.com/security-policy"

This allows quick public access to security-relevant data. Attackers might also use TXT records to store command-and-control (C2) information or exfiltrate data, making monitoring critical.

Troubleshooting Common Issues

TXT record lookups can sometimes present unexpected results. Understanding common issues helps in quick diagnosis and resolution.

No TXT Records Found

If a lookup returns no TXT records, it could mean several things:

• Record does not exist: The domain simply has no TXT records configured. This is common for new domains or domains not using services that require TXT records.
• Incorrect domain or subdomain: Double-check the domain or subdomain spelling. A simple typo prevents a successful lookup. For example, _dmarc.exmaple.com instead of _dmarc.example.com.
• DNS propagation delay: If you recently added or modified a TXT record, it might take time to propagate across DNS servers. Propagation can take minutes to hours, depending on TTL settings and DNS provider infrastructure. Use dig @specific_nameserver domain TXT to check your authoritative server directly.
• Wrong record type: Ensure you are explicitly requesting TXT records. Using default settings for tools like nslookup might only show A or AAAA records.

Incorrect or Truncated Output

Sometimes, a TXT record might appear malformed or incomplete:

• String length limits: DNS TXT records have a maximum length. While a single TXT record can be up to 65535 characters, it is usually broken into multiple strings of up to 255 characters. If your record exceeds this, it might appear truncated or split. DNS clients usually concatenate these strings. If not, you might only see the first part. For example, a long SPF record might split into "v=spf1 include:..." "another_part...".
• Syntax errors: Malformed records (e.g., missing quotes, incorrect delimiters) can cause issues. DNS servers might still publish them, but applications parsing them will fail. Review the record content at your DNS provider.
• DNSSEC validation issues: If DNSSEC is enabled and misconfigured, it can lead to validation failures, causing some resolvers to refuse to serve the record. Check DNSSEC status for the domain.

DNS Caching Issues

DNS resolvers cache records to improve performance. Stale cache entries can show old TXT records. This is particularly relevant when troubleshooting recent changes.

• Clear local DNS cache: On Windows, use ipconfig /flushdns. On macOS, use sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder. On Linux, restart the caching service if one is running (e.g., sudo systemctl restart systemd-resolved).
• Query a different resolver: Use public DNS resolvers like Google (8.8.8.8) or Cloudflare (1.1.1.1) to bypass your local or ISP's cache.
• Check TTL: The Time-To-Live (TTL) value indicates how long a record should be cached. Lower TTLs (e.g., 300 seconds) mean faster propagation. High TTLs (e.g., 86400 seconds) mean longer cache times.

Firewall or Network Blocking

Your network firewall or local security software might block outbound DNS queries, particularly on port 53 (UDP/TCP). This prevents successful lookups.

• Test connectivity: Use nc -uz 8.8.8.8 53 (for UDP) or nc -vz 8.8.8.8 53 (for TCP) to check if you can reach a public DNS server.
• Consult network administrator: If connectivity is blocked, contact your network team to allow DNS traffic.

Pro Tips for Advanced Usage

Beyond basic lookups, advanced techniques enhance the utility of dns txt lookup for security practitioners. These methods help automate tasks, improve monitoring, and provide deeper insights.

Scripting TXT Lookups for Bulk Analysis

Automate TXT record checks for multiple domains. This is useful for monitoring your organization's entire attack surface or for reconnaissance on target organizations. A simple shell script can iterate through a list of domains.

#!/bin/bash

DOMAIN_LIST="domains.txt" # File containing one domain per line
OUTPUT_FILE="txt_records_report.csv"

echo "Domain,RecordType,RecordContent" > $OUTPUT_FILE

while IFS= read -r domain; do
    echo "Processing $domain..."
    dig "$domain" TXT +short | while IFS= read -r line; do
        if [[ -n "$line" ]]; then
            echo "$domain,TXT,\"$line\"" >> $OUTPUT_FILE
        fi
    done
done < "$DOMAIN_LIST"

echo "Report generated: $OUTPUT_FILE"

This script reads domains from domains.txt and outputs all TXT records to a CSV file. Modify the dig command to include other record types or specific subdomains like _dmarc.$domain. This systematic approach is key for Secably in its attack surface management and EASM offerings.

Combining with Other Tools

Integrate TXT lookups with text processing tools like grep, awk, and sed for targeted information extraction. This helps filter noise and focus on specific data points.

• Extracting SPF records:

dig secably.com TXT +short | grep "v=spf1"

"v=spf1 include:_spf.secably.com ~all"

• Extracting DMARC policy from a report URL:

dig _dmarc.secably.com TXT +short | awk -F'rua=' '{print $2}' | awk -F';' '{print $1}'

mailto:[email protected]

These commands streamline data analysis, especially when dealing with verbose DNS outputs or multiple records.

Monitoring Changes in TXT Records

TXT records, particularly SPF, DKIM, and DMARC, are critical security controls. Unauthorized changes can indicate compromise or lead to email deliverability issues. Implement continuous monitoring.

• Scheduled checks: Run the bulk script (from above) daily or weekly. Compare current results with a baseline. Alert on discrepancies.
• Version control: Store TXT record outputs in a version control system (e.g., Git). This provides a history of changes and simplifies rollback or investigation.
• Hash comparison: Calculate hashes of TXT record content and compare them. A change in hash indicates a modification.

CURRENT_TXT=$(dig secably.com TXT +short | sort | md5sum)
# ... later ...
PREVIOUS_TXT=$(cat baseline_secably_txt.md5)

if [ "$CURRENT_TXT" != "$PREVIOUS_TXT" ]; then
    echo "ALERT: TXT records for secably.com have changed!"
fi

Using Specific DNS Resolvers

Querying specific DNS resolvers helps verify propagation, troubleshoot regional issues, or test responses from different providers. Public resolvers like Google (8.8.8.8) or Cloudflare (1.1.1.1) are common. You might also query your organization's internal DNS servers.

dig @1.1.1.1 secably.com TXT +short

dig @my_internal_dns_server.local secably.com TXT +short

This isolates problems to specific parts of the DNS infrastructure. For internet-wide scanning and broader reconnaissance, tools like Zondex provide extensive data beyond simple lookups, helping to discover exposed services and misconfigurations across many domains.

Leveraging DNS Lookup Tools for Subdomains

TXT records can also exist on subdomains. Attackers often use subdomains for phishing or C2 infrastructure. Regularly checking TXT records on discovered subdomains is essential. Use tools like Secably's subdomain discovery tool to enumerate subdomains, then script TXT lookups for each. This expanded scope provides a more complete view of your organization's DNS posture.

Checking for DNS-based C2 Indicators

Malware often uses DNS TXT records for command and control (C2) communications or data exfiltration. The malware might encode commands or data within TXT records. Security analysts can monitor TXT records for suspicious patterns, unusual lengths, or frequently changing values on domains associated with potential threats. Look for domains that shouldn't have TXT records or records with strange encoding patterns.

dig suspicious-c2-domain.com TXT +short

"payload=0x4a7b9c2d..."
"cmd=get_config"

Identifying such patterns requires a baseline of normal activity and vigilance for anomalies. This proactive monitoring helps detect advanced persistent threats (APTs) and other sophisticated attacks.