What is a DNS TXT record?
The DNS ‘text’ (TXT) record lets a domain administrator enter text into the Domain Name System (DNS). The TXT record was originally intended as a place for human-readable notes. However, now it is also possible to put some machine-readable data into TXT records. One domain can have many TXT records.
Example of a TXT record:
|@||TXT||This is an awesome domain! Definitely not spammy.||32600|
Today, two of the most important uses for DNS TXT records are email spam prevention and domain ownership verification, although TXT records were not designed for these uses originally.
What kind of data can go in a TXT record?
The original RFC only indicates that 'text strings' go in the 'value' field of a TXT record. This could be any text that an administrator wants to associate with their domain.
Most DNS servers will put a limit on how big TXT records can be and how many records they can store, so administrators cannot use TXT records for large amounts of data.
What is the official format for storing data in a TXT record?
In 1993, the Internet Engineering Task Force (IETF) defined a format for storing attributes and their corresponding values within the 'value' field of TXT records. The format was simply the attribute and the value contained within quotation marks (") and separated by an equal sign (=), such as:
RFC 1464, the 1993 document that defines this format, includes these examples:
|@||TXT||"favorite drink=orange juice"|
However, this definition was considered experimental, and in practice it is not often adopted. Some DNS administrators follow their own formats within TXT records, if they make use of TXT records at all. TXT records may also be formatted in a specific way for certain uses described below — for instance, DMARC policies have to be formatted in a standardized way.
How do TXT records help prevent email spam?
Spammers often try to fake or forge the domains from which they send their email messages. TXT records are a key component of several different email authentication methods that help an email server determine if a message is from a trusted source.
Common email authentication methods include Domain Keys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting & Conformance (DMARC). By configuring these records, domain operators can make it more difficult for spammers to spoof their domains and can track attempts to do so.
SPF records: SPF TXT records list all the servers that are authorized to send email messages from a domain.
DKIM records: DKIM works by digitally signing each email using a public-private key pair. This helps verify that the email is actually from the domain it claims to be from. The public key is hosted in a TXT record associated with the domain. (Learn more about public key encryption.)
DMARC records: DMARC TXT records can be set up once DKIM and SPF are configured. A DMARC TXT record should be stored under the title _dmarc.example.com. with 'example.com' replaced with the actual domain name. The 'value' of the record is the domain's DMARC policy (a guide to creating one can be found here).
How do TXT records help verify domain ownership?
While domain ownership verification was not initially a feature of TXT records, this approach has been adopted by some webmaster tools and cloud providers.
By uploading a new TXT record with specific information included, or editing the current TXT record, an administrator can prove they control that domain. The tool or cloud provider can check the TXT record and see that it has been changed as requested. This is somewhat like when a user confirms their email address by opening and clicking a link sent to that email, proving they own the address.
Learn more about the different types of DNS records.