DNS TXT Record: SPF, DKIM, DMARC & Verification
A DNS TXT record stores arbitrary text against a domain name. Originally meant for human-readable notes, it has become the workhorse behind email authentication (SPF, DKIM, DMARC) and domain ownership verification. If a service ever asked you to "add this TXT record to your DNS to verify your domain," this is the record they meant.
What is a TXT record?
Defined in RFC 1035, a TXT record simply holds one or more text strings. DNS itself does not interpret them — meaning comes from whatever software reads the record. That flexibility is why TXT records now anchor most of modern email security and countless verification checks.
TXT record structure and example
example.com. 3600 IN TXT "v=spf1 include:_spf.example-mail.com ~all"
example.com. 3600 IN TXT "google-site-verification=Ab12Cd34Ef56"
| Field | Meaning |
|---|---|
| Name | The hostname the record is attached to — often the apex, or a subdomain like _dmarc.example.com. |
| Type | Always TXT. |
| Value | A quoted text string. A single string is capped at 255 characters; longer values are split into multiple concatenated strings. |
What TXT records are used for
- SPF — lists which servers may send mail for the domain (
v=spf1 ...), published on the apex. - DKIM — publishes the public key that verifies message signatures, on a selector subdomain like
selector._domainkey.example.com. - DMARC — sets the policy for handling mail that fails SPF/DKIM, on
_dmarc.example.com(v=DMARC1; p=reject; ...). - Domain verification — proves you control a domain to Google, Microsoft, and many SaaS tools via a one-off token string.
How to check a domain's TXT records
# dig (Linux/macOS)
dig example.com TXT +short
# just the DMARC policy
dig _dmarc.example.com TXT +short
# nslookup (Windows)
nslookup -type=TXT example.com
To read a domain's TXT records alongside its MX and address records in one place, use the free DNS lookup tool.
Common TXT record problems
- More than one SPF record. A domain must have exactly one SPF TXT record. Publishing two makes SPF fail — merge them into a single
v=spf1line. - Broken long values. A value over 255 characters must be split into properly quoted chunks; a naive paste can corrupt DKIM keys.
- Verification token removed too early. Deleting a verification TXT record after setup can revoke access to the connected service.
- Wrong host for DMARC/DKIM. DMARC lives on
_dmarcand DKIM on a selector subdomain — placing them on the apex silently disables them.
Related DNS records
TXT records complete the email picture set up by MX records and checked against PTR reverse DNS. They attach to names resolved by A and AAAA records within a zone defined by its SOA record.
Frequently asked questions
Can a domain have multiple TXT records?
Yes — a domain commonly has several (SPF, verification tokens, and more). The one exception is SPF: there must be only a single SPF TXT record.
What is the maximum length of a TXT record?
A single string is limited to 255 characters. Longer content, such as a DKIM key, is stored as multiple concatenated strings within the same record.
Are TXT records public?
Yes. Like all DNS records they are publicly queryable, so never store secrets in them — only data meant to be read openly, such as SPF policy or verification tokens.