TXT record
A TXT record, also known as a Text record, is a type of resource record in the Domain Name System (DNS) that associates arbitrary text strings with a domain name or subdomain, allowing for the storage of human-readable notes or machine-parsable data without a predefined structure.[1] Defined in RFC 1035 as a mechanism to hold descriptive text whose semantics are domain-specific, the TXT record's resource data (RDATA) format consists of one or more character strings, where each string is prefixed by a single octet indicating its length (up to 255 octets per string, with the total RDATA limited to 65535 octets).[1] This flexible design enables TXT records to serve multiple purposes, from simple annotations to critical security functions, and multiple TXT records can exist for the same domain name to accommodate diverse needs.[1] Originally intended for optional human-readable information in DNS zones, TXT records gained broader utility through subsequent standards, such as RFC 1464, which proposed their use for storing arbitrary string-valued attributes in an experimental "attribute=value" format to distribute machine-readable data across the internet.[2] In practice, TXT records are widely employed for domain ownership verification by services like Google Workspace or Microsoft 365, where a unique text string is published and queried to confirm control over the domain.[3] They also play a pivotal role in email security protocols: for Sender Policy Framework (SPF) as defined in RFC 7208, TXT records specify authorized mail servers to combat spoofing; for DomainKeys Identified Mail (DKIM) per RFC 6376, they hold public cryptographic keys for verifying email signatures; and for Domain-based Message Authentication, Reporting, and Conformance (DMARC) under RFC 7489, they declare policies for handling authentication failures. Beyond email and verification, TXT records support other applications, such as publishing responsible disclosure policies for security vulnerabilities, providing metadata for protocols like Let's Encrypt's ACME challenge in automated certificate issuance, and DNS-based service discovery to store parameters for advertised services in local networks.[3][4] Their text-based nature allows for easy implementation and querying via standard DNS tools likedig or nslookup, making them a versatile, low-overhead component of DNS infrastructure since their standardization in 1987.[1]
Overview
Definition and Purpose
A TXT record, or text record, is a type of resource record in the Domain Name System (DNS) that allows the association of arbitrary textual information with a domain name. Defined in RFC 1035, TXT records are specifically used to hold descriptive text, where the semantics of the text depend on the domain in which it is found.[1] Initially intended for informal purposes, such as providing site administrator contact details or general host descriptions, TXT records offer a simple mechanism to store human-readable notes without imposing a rigid structure.[1] The primary purpose of TXT records is to serve as a flexible container for unstructured text strings that can be queried and retrieved via standard DNS protocols. Unlike more specialized DNS record types, such as A or AAAA records for IP address mapping or MX records for mail exchange routing, TXT records are content-agnostic and non-hierarchical, enabling the inclusion of custom key-value pairs or free-form text as needed.[1] This design makes them suitable for metadata that does not fit predefined formats, allowing administrators to attach supplementary information to domain names in a straightforward manner. Over time, the purpose of TXT records has evolved from these original informal applications to support more structured uses in various protocols, as proposed in early extensions like RFC 1464, which advocated for their use in storing attribute-value pairs to accommodate new types of information without altering core DNS infrastructure.[2] This adaptability has positioned TXT records as a versatile tool for extending DNS functionality beyond basic name resolution.Historical Development
The TXT (Text) resource record was first defined in November 1987 as part of the core Domain Name System (DNS) specifications outlined in RFC 1035, authored by Paul Mockapetris, which established the foundational framework for DNS operations including various record types for storing arbitrary textual information associated with domain names. Prior to this standardization, there was no widespread mechanism for such text-based annotations in network resource resolution, as DNS itself emerged from earlier ARPANET experiments in the late 1970s and early 1980s. In 1993, RFC 1464 proposed an experimental extension for using TXT records to store arbitrary string attributes in an "attribute=value" format, such as for administrative contact information, building on the general TXT type for more structured use cases.[2] This format allowed broader applicability without dedicated subtypes, and TXT records have continued to be used flexibly in various unstructured and semi-structured ways. During the 1990s, TXT records saw gradual adoption primarily for simple annotations like site maintenance notes or server descriptions within DNS zones, reflecting the growing maturity of the internet infrastructure. Usage surged in the 2000s alongside the rise of email anti-spam measures, with no structural modifications to the core TXT format post-RFC 1035, though its relevance expanded through protocols like Sender Policy Framework (SPF) in RFC 7208 (2014) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) in RFC 7489 (2015). As of 2025, the TXT record remains unchanged in its fundamental specification from RFC 1035, continuing to serve as a versatile carrier for textual data without any deprecation of its core functionality despite the evolution of niche applications. It has been integrated into more recent standards, such as Brand Indicators for Message Identification (BIMI) as specified in draft-ietf-authindicators-bimi (as of 2025), which leverages TXT records to associate domain brand logos with email authentication.[5]Technical Details
Resource Record Format
In DNS zone files, a TXT resource record follows the standard master file syntax: the owner name (domain), followed by the time to live (TTL), the class (typically IN for Internet), the type TXT, and the resource data (RDATA) consisting of one or more quoted strings.[6] For example, the entry might appear asexample.com. 3600 IN TXT "This is a text string", where multiple quoted strings can be provided if the total content exceeds 255 octets, and they are concatenated without intervening spaces during processing.[6]
In the wire format specified by RFC 1035, a TXT record is a standard DNS resource record with type value 16 (encoded in 2 octets), class value 1 for IN (encoded in 2 octets), TTL (4 octets), RDLENGTH (2 octets indicating the total length of the RDATA in octets), and RDATA comprising one or more length-prefixed character strings.[6] Each character string in the RDATA begins with a 1-octet length field (0 to 255, indicating the number of following octets) followed by that many octets of arbitrary binary data, allowing a maximum of 255 octets per string excluding the length prefix.[6]
Quoting rules in zone files require double quotes around strings containing spaces or special characters to preserve them as literal text; within quoted strings, a literal double quote is escaped by preceding it with a backslash (), and other special characters or octets can be represented using backslash escapes like \DDD for decimal values (three digits, 0-255).[6]
Zone files support multi-line entries for readability using parentheses to continue records across lines, and wildcard handling applies to the owner name (e.g., *.example.com. IN TXT "wildcard text"), where the asterisk denotes subdomain matching, but TXT records themselves carry no special semantics for wildcards or multi-line formatting in their data content.[6]
Encoding and Length Constraints
The RDATA section of a TXT resource record comprises one or more character strings, where each character string begins with a single octet specifying its length (from 0 to 255), followed by that number of octets of arbitrary binary data representing the text.[7] According to RFC 1035, these octets are treated as binary information without a mandated character set, though the specification assumes printable US-ASCII characters (codes 32-126) for textual content to ensure interoperability across systems.[8] In practice, UTF-8 encoding is widely supported and used for TXT records containing international or non-ASCII text, as the binary nature of the format accommodates multi-byte sequences; however, core DNS standards do not formally require Unicode support, leaving encoding decisions to specific applications.[9] For instance, the Sender Policy Framework (SPF) restricts its TXT records to US-ASCII characters.[10] Each individual character string is limited to 255 octets of data (excluding the length octet), necessitating the use of multiple strings for longer content.[7] The overall RDATA length is theoretically capped at 65,535 octets by the 16-bit RDLENGTH field in the resource record structure.[11] Practical constraints arise from DNS message sizes: traditional UDP responses are limited to 512 octets before EDNS extensions, while EDNS(0) enables larger payloads, often up to 4,096 octets or more based on network and resolver configurations.[12] When multiple character strings are present, they are concatenated directly in the RDATA without delimiters, spaces, or other separators, requiring applications to interpret the combined content according to their defined syntax—for example, SPF parsers identify records starting with the "v=spf1" prefix (case-insensitive) spanning the strings.[7][13] Although designed for textual data, TXT records can carry binary information by encoding it in text-safe formats such as Base64 or hexadecimal, which convert non-printable or arbitrary octets into printable ASCII sequences to mitigate transmission and parsing errors across diverse DNS implementations.[14] Non-printable characters should generally be avoided in unencoded text to prevent issues with legacy resolvers or tools that assume ASCII compatibility.[7]Common Applications
Email Authentication Protocols
TXT records play a crucial role in email authentication protocols by storing policy and verification data in the DNS, enabling domain owners to specify rules that help receiving mail servers detect and mitigate spoofing, phishing, and other abuse. These protocols—SPF, DKIM, and DMARC—leverage TXT records to publish machine-readable instructions that align sender identities with authorized senders, reducing the risk of domain impersonation. The Sender Policy Framework (SPF), defined in RFC 7208, uses a TXT record at the domain's apex (e.g., example.com) to list authorized IP addresses or mail servers permitted to send email on behalf of that domain. The record begins with the "v=spf1" prefix, followed by mechanisms such as "a" for A record IPs, "mx" for MX record servers, or explicit IP networks like "ip4:192.0.2.0/24", and concludes with qualifiers like "+all" (neutral pass) or "-all" (hard fail) to indicate default actions for unmatched senders. This allows receiving servers to check the sending IP against the published list during SMTP transactions, failing checks for unauthorized sources. DomainKeys Identified Mail (DKIM), outlined in RFC 6376, employs selector-specific TXT records under the _domainkey subdomain (e.g., selector._domainkey.example.com) to publish public cryptographic keys used for verifying digital signatures on email messages. The record contains key details like the "v=DKIM1" version, a "p=" public key (in base64), and optional flags such as "k=rsa" for the hashing and signing algorithms, enabling recipients to confirm the message's integrity and origin without relying on the email path. Selectors allow multiple keys for different services or time periods, enhancing flexibility in key management. Domain-based Message Authentication, Reporting, and Conformance (DMARC), specified in RFC 7489, relies on a TXT record at the _dmarc subdomain (e.g., _dmarc.example.com) to declare policies for handling emails that fail SPF or DKIM checks. The record starts with "v=DMARC1;", includes a policy like "p=quarantine" (treat as suspicious) or "p=reject" (block outright), and may specify reporting URIs via "rua=" (aggregate reports) and "ruf=" (forensic reports) for feedback on authentication outcomes. Alignment modes ("aspf" for SPF and "adkim" for DKIM) ensure the domain in the From header matches the authenticating domain, with updates in RFC 9091 (2021) introducing support for external reporters to aggregate data from multiple sources, improving visibility into abuse patterns. These protocols interconnect through TXT records to enforce identifier alignment: DMARC policies activate only when SPF or DKIM passes and the organizational domains align, providing layered defense against forgery. For instance, BIMI (Brand Indicators for Message Identification), per RFC 9371 (2023), extends DMARC by using an additional TXT record at default._bimi.example.com to associate a verified SVG logo with authenticated emails, allowing display of brand indicators in mail clients.Domain Verification and Ownership
TXT records are widely used for domain ownership verification, a process where a service provider generates a unique token, typically a random string, which the domain owner must add as the value of a TXT record at the domain root (e.g., example.com) or a specific subdomain (e.g., _acme-challenge.example.com).[15][16][17] The provider then queries the DNS to confirm the presence of this token, proving the owner's control over the domain without requiring access to the web server.[3] This method is preferred for its simplicity and security in scenarios where HTTP-based verification is impractical, such as for wildcard certificates or domains without public web access.[18] Common providers employing TXT records for verification include Google Workspace, which instructs users to copy a unique TXT value from the admin console and add it to their DNS settings before confirming ownership.[15] Similarly, Microsoft 365 recommends adding a TXT record with a specific value provided in the admin center to verify domain control during setup.[16] For SSL/TLS certificates, Let's Encrypt utilizes the ACME protocol's DNS-01 challenge, where the client provisions a TXT record under _acme-challenge.Miscellaneous Uses
TXT records have historically served informational purposes by storing arbitrary text attributes associated with domain names, enabling legacy uses such as site descriptions or geographic location data. For instance, administrators could include custom key-value pairs like "geo=37.7749,-122.4194" to denote coordinates for a location like San Francisco, facilitating human-readable or machine-parsable metadata without altering DNS infrastructure.[2] This approach, outlined in early specifications for flexible attribute storage, allowed for attributes like "location=San Francisco" or descriptive notes, though such practices are now less common due to the evolution of specialized record types.[2] Additionally, TXT records complement the Responsible Person (RP) record type by providing supplementary details about domain contacts. The RP record specifies a mailbox domain name and points to a TXT record for further information, such as phone numbers, addresses, or other free-form text about the responsible individual or group, allowing shared contact data across multiple domains.[22] This indirection supports efficient management of administrative metadata while keeping core RP entries concise.[22] In experimental and custom applications, TXT records function as key-value stores for IoT device metadata, including device identifiers, cryptographic keys, security policies, or API endpoint configurations to aid autoconfiguration and discovery.[23] For example, semantic metadata for IoT devices can be encoded in compact TXT entries, enabling devices to query DNS for operational parameters without proprietary protocols.[24] A notable implementation involves Apple's services, where TXT records under subdomains like _apple-domain support private relay features by verifying sender policies through SPF entries, ensuring secure email transit for privacy-focused relays.[25] Outdated proposals, such as the "owner" attribute in TXT records defined in RFC 1464 for denoting domain ownership, have largely been superseded by modern verification methods, though the general framework for arbitrary attributes persists in niche contexts.[2] As of 2025, TXT records are increasingly integrated with Web3 and blockchain domains, where they map traditional DNS names to Ethereum addresses or store metadata for decentralized identities, as seen in Ethereum Name Service (ENS) integrations that embed TXT data on-chain for cross-world compatibility.[26] This enables seamless bridging, such as using TXT to alias DNS domains to blockchain wallets or profile information.[27]Implementation
Zone File Configuration
TXT records are authored in DNS zone files using standard resource record syntax, typically in BIND format, where each record specifies the domain name, TTL, class (usually IN for Internet), type (TXT), and the text data enclosed in double quotes. For example, a basic SPF TXT record might be written asexample.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all".[28][29] The text value can include escaped characters if needed, and the entire string must adhere to DNS wire format constraints during resolution.[30]
For values exceeding 255 octets—the maximum length for a single DNS string—TXT records support concatenation of multiple character strings, denoted in zone files by specifying multiple consecutive quoted strings separated by spaces, such as "string1" "string2". This allows administrators to construct longer effective payloads, like extended DMARC policies, which applications reassemble by joining the strings without delimiters.[28] Zone files may contain multiple TXT records for the same name, as DNS permits this for additive data, but care must be taken to avoid unintended overlaps in purpose, such as conflicting SPF directives.[3]
In BIND, TXT records are defined within zone files referenced in the named.conf configuration, which specifies zone paths and types (e.g., master zones).[29] PowerDNS configures TXT records through backend-specific methods, such as SQL inserts or API calls, supporting the same RFC-compliant syntax but storing data in databases rather than flat files for scalability.[31] Cloudflare manages TXT records via its dashboard or REST API, where creation involves POST requests to /zones/{zone_id}/dns_records with JSON payloads specifying type, name, content, and TTL.[32]
Automation tools like Ansible and Terraform facilitate dynamic TXT record management across providers. Ansible's community DNS modules, such as community.general.cloudflare_dns, allow playbook-driven updates to Cloudflare TXT entries, while Terraform's provider ecosystem—including hashicorp/cloudflare and hashicorp/azurerm—declaratively provisions records like resource "cloudflare_record" "txt" { type = "TXT" name = "example.com" value = "v=spf1 ..." }.
Propagation of TXT record changes depends on the TTL value, which dictates how long resolvers cache the prior data; a low TTL like 300 seconds (5 minutes) is recommended before planned updates to minimize downtime, reverting to 3600 seconds or higher post-propagation for efficiency.[33] Global propagation typically completes within the TTL period, though upstream resolver behaviors can extend this to 48 hours in worst cases.[34]
Pre-deployment validation ensures syntax correctness and propagation; use dig TXT example.com to query authoritative servers for the record's presence and content, or Microsoft's DNSLint tool (dnslint /d example.com /t TXT) for comprehensive checks including duplicates and delegation issues on Windows environments.[35][36]
Querying and Retrieval
To retrieve TXT records, which are identified by DNS query type 16, tools like the dig command can be used to send a DNS query to a resolver or authoritative server.[37] For example, the commanddig TXT example.com queries for all TXT records associated with the domain example.com, using the system's default resolver if no server is specified. The response includes a question section echoing the query, an answer section listing any matching TXT records with their TTL values and textual data in quotes, and additional sections for authority and additional information if applicable. If multiple TXT records exist for the queried name, they appear sequentially in the answer section, typically in the order defined in the authoritative zone file.[38]
Upon retrieval, parsing TXT records involves examining the RDATA field of each resource record, which may contain one or more character strings—each prefixed by a length octet and limited to 255 octets—that are concatenated without delimiters to form the complete textual value.[39] For a single TXT record with multiple strings, clients must join them sequentially to interpret the full content, such as reconstructing a policy string starting with a prefix like "v=DMARC1". When multiple distinct TXT records are returned for the same name, the parsing logic varies by application: applications typically select one record based on criteria such as a specific prefix (e.g., for SPF or DMARC) or process each independently, depending on the protocol.[19]
Programmatic access to TXT records is facilitated by DNS libraries in various languages. In Python, the dnspython library's dns.resolver.resolve(domain, 'TXT') method performs the query and returns an iterable of TXT rdata objects, each providing a strings attribute as a list of byte strings that can be concatenated for the full text; error handling includes raising dns.resolver.NXDOMAIN for non-existent domains or dns.resolver.NoAnswer for empty responses. Similarly, in Node.js, the built-in dns module's dns.resolveTxt(hostname, callback) function retrieves TXT data as an array of string arrays (accounting for multi-string records), with errors like ENOENT for NXDOMAIN or empty arrays for no records.[40]
DNS resolvers apply negative caching to optimize querying, storing responses indicating the absence of TXT records to prevent redundant queries. For a non-existent domain (NXDOMAIN response), the negative cache entry applies to the queried name and class, with a TTL derived from the minimum of the authoritative SOA record's TTL and its MINIMUM field. For an existing domain with no TXT records (NODATA, indicated by NOERROR with no answers and an SOA in the authority section), caching is specific to the name, type (TXT), and class, using the same TTL calculation.[41] This mechanism, as standardized, reduces load on authoritative servers but requires clients to respect TTLs when handling cached negatives.[42]
Limitations and Best Practices
Security Considerations
TXT records, being part of the public Domain Name System (DNS), are susceptible to spoofing attacks where adversaries intercept or poison DNS responses to forge record content. This can result in false positives for Sender Policy Framework (SPF) checks, allowing unauthorized email senders to bypass authentication and deliver spam or phishing messages, or enable the circumvention of domain verification processes by presenting altered ownership proofs.[43][44] To mitigate these risks, Domain Name System Security Extensions (DNSSEC), as defined in RFC 4033, 4034, and 4035, provide cryptographic signing of DNS records, including TXT types, ensuring data authenticity and integrity through digital signatures that resolvers can validate.[45][46] A significant concern with TXT records is the potential for information leakage, as they are inherently public and queryable by anyone without authentication. Storing sensitive data, such as API keys, credentials, or temporary tokens, in TXT records exposes this information to unauthorized access, enabling exploitation by attackers for unauthorized system access or further attacks.[47][48] Best practices recommend avoiding the inclusion of any secrets in TXT records altogether and, for temporary data like verification tokens, employing short Time to Live (TTL) values to limit exposure duration after issuance.[47] TXT records can also contribute to protocol-specific threats, particularly in distributed denial-of-service (DDoS) amplification attacks, where attackers exploit open DNS resolvers to generate oversized responses from TXT queries, flooding targets with amplified traffic—though this amplification factor is generally lower than that of ANY queries.[49][50] Implementations should incorporate response rate limiting (RRL) on authoritative servers to cap the volume of replies to similar queries, reducing the feasibility of such attacks.[51][52] As of 2025, DNSSEC deployment is increasingly critical for TXT record uses in email authentication protocols like DMARC, where major providers such as Google, Microsoft, and Yahoo mandate DMARC implementation for bulk senders to prevent spoofing, and DNSSEC is recommended to secure the underlying records against tampering.[53][54] Emerging threats include caching inconsistencies in DNS over HTTPS (DoH) resolvers, which may lead to outdated or mismatched TXT data retrieval if validation and cache management are not uniformly enforced.[55]Common Pitfalls and Recommendations
One common pitfall in configuring TXT records involves syntax errors, particularly unescaped double quotes within the record's character strings or exceeding the 255-octet limit per string, which can render the entire record invalid and prevent proper resolution.[6] According to the DNS specification, character strings in TXT records must be properly quoted in zone files, with internal double quotes escaped using a backslash ("), and each string confined to 255 octets to avoid parsing failures by resolvers.[6] To mitigate this, administrators should always test TXT records using tools like thedig command (e.g., dig TXT example.com) before deployment to verify syntax and content integrity.[56]
Another frequent issue arises with overlong TXT records that exceed the traditional 512-octet UDP payload limit for DNS messages, leading to truncation where the TC (truncated) bit is set, forcing clients to retry over TCP and potentially causing delays or failures in environments without EDNS support.[6] While EDNS(0) allows larger payloads up to 4096 octets or more to accommodate bigger responses, not all resolvers or networks fully support it, resulting in inconsistent handling.[57] As a recommendation, split lengthy content across multiple strings within a single TXT record or distribute it over multiple TXT records for the same domain, ensuring the total size remains manageable and protocol-compatible.[3]
When multiple TXT records exist for the same domain, protocols like SPF concatenate their contents without spaces, which can lead to bloated or erroneous policies if unrelated records are included, increasing evaluation complexity and risk of misinterpretation.[58] For instance, SPF implementations treat all qualifying TXT records (those starting with "v=spf1") as a single policy by joining them, but having more than one such record often signals a configuration error and may cause authentication failures.[58] Best practice is to limit TXT records to one per specific purpose (e.g., a single SPF record), clearly document the order and intent of any multiples, and avoid mixing unrelated data to prevent unintended concatenation effects.
Effective maintenance of TXT records requires regular audits to identify and remove outdated entries, such as obsolete SPF includes from decommissioned services, which can accumulate over time and degrade performance or security posture.[59] Automating verification through service-specific tools ensures ongoing compliance, and as of 2025, integrating with monitoring platforms like Zabbix—using items such as net.dns.record to check TXT content—enables proactive DNS health alerts.[60] Additionally, setting an appropriate TTL (e.g., 300 seconds during changes) facilitates quicker propagation of updates without prolonged inconsistencies.[61]