What Are DNS TXT Records?
DNS TXT (text) records are a type of DNS resource record that allows domain owners to store arbitrary text data in their DNS zone. Originally designed for human-readable notes, TXT records have become the backbone of email authentication — hosting SPF, DKIM, and DMARC policies that protect your domain from abuse.
Unlike MX or A records, TXT records have no specific technical function at the network level. Their meaning is entirely determined by the applications that read and interpret them.
How Email Authentication Uses TXT Records
Each of the three major email authentication standards uses DNS TXT records in a slightly different way:
SPF TXT Record
Published at the root of your domain (e.g., example.com), the SPF record lists authorized sending IP addresses and services.
- Host/Name:
@orexample.com - Type: TXT
- Value:
v=spf1 include:_spf.google.com ~all
DKIM TXT Record
Published at a selector subdomain under _domainkey. The selector is chosen by your email provider and allows multiple keys to coexist.
- Host/Name:
selector._domainkey.example.com - Type: TXT
- Value:
v=DKIM1; k=rsa; p=MIGfMA0G...
DMARC TXT Record
Published at the _dmarc subdomain of your domain, this record defines your DMARC policy and reporting addresses.
- Host/Name:
_dmarc.example.com - Type: TXT
- Value:
v=DMARC1; p=reject; rua=mailto:reports@example.com
Common DNS Providers: Where to Add TXT Records
| Provider | Where to Find DNS Settings |
|---|---|
| Cloudflare | Dashboard → Your Domain → DNS → Add Record |
| GoDaddy | My Products → DNS → Add Record → TXT |
| AWS Route 53 | Hosted Zones → Your Domain → Create Record |
| Namecheap | Domain List → Manage → Advanced DNS → Add New Record |
| Google Domains | Manage → DNS → Custom Records → Create New Record |
Understanding TTL (Time to Live)
Every DNS record has a TTL value that controls how long resolvers cache the record before checking for updates. For email authentication records:
- During setup/testing: Use a low TTL (e.g., 300 seconds / 5 minutes) so changes propagate quickly.
- Once stable: Increase to 3600 (1 hour) or higher for better performance.
- Typical default: Most providers default to 3600 seconds.
DNS Propagation: What to Expect
After publishing or updating a TXT record, changes don't take effect instantly worldwide. DNS propagation can take:
- A few minutes if your previous TTL was short
- Up to 48 hours in worst-case scenarios with high TTLs or slow resolvers
You can check propagation progress using public tools like Google's Dig tool or MXToolbox to query DNS from multiple global locations.
Troubleshooting Common TXT Record Issues
Multiple SPF Records
Having more than one TXT record starting with v=spf1 on the same domain will cause an SPF PermError. Always merge multiple SPF entries into a single record.
DKIM Record Not Found
If a DKIM lookup fails, double-check the selector name. It must match exactly what your email sending service expects (e.g., google._domainkey vs mail._domainkey).
Quoted Strings in TXT Records
Some DNS providers automatically add quotes around TXT record values. This is normal — the quotes are part of the DNS format and should not affect functionality.
Best Practices Summary
- Always verify records after publishing using DNS lookup tools
- Use low TTLs during initial configuration
- Keep only one SPF record per domain
- Use descriptive DKIM selectors (e.g.,
google,sendgrid) for easy management - Document your DNS changes with dates and reasons