What is a TXT record? 🤷♂️
A TXT record is far more than just a “text note”. It can keep your domain safe and add protection to all your users.
How can the text record do that? Let’s explore it and find all the details together!
📚 Table of contents:
- Defining TXT records in detail
- The structure of the TXT record explained
- Popular types of TXT records and their security implementations
- Example of a TXT record
- Challenges and best practices in managing TXT records
- How to query a TXT record?
Defining TXT records in detail
The TXT records are text DNS records, created for external uses. Their content can be directed at devices (servers and user devices) or at people (it can be a message to another domain administrator).
The message TXT records contain is usually a code that must be publicly available on the domain. For that reason, the domain administrator must add it through the DNS settings (or Forward DNS Zone if managing their own server). Third parties use this publicly available code to verify aspects of the domain name, such as the administrator’s identity or the servers it uses to send emails.
Note that TXT records can contain any text information. However, in most cases TXT records will be used for the codes we’ll discuss in this article.
The structure of the TXT record explained
The text record has the following fields:
- Host. Here you add the hostname/domain name.
- Type. Here you specify the DNS record type. Type simply “TXT”.
- TTL. Time to live will show how long this DNS record is for.
- Value. Here, you will add the value (code) for our particular use. For example, you might enter a code provided by an online tool that wants you to verify ownership of your domain.
Popular types of TXT records and their security implementations
Let’s talk about the different TXT records and what their security implementations are.
You may have heard about SPF, DKIM, and DMARC records. In the past, they used to be separate records, but now they are all variations of the TXT DNS record. The text record is the container, and inside it, you can put the information about the security protocol you need.
Here’s a quick roundup of the most common TXT record types and their uses:
- Service verification TXT records. These TXT records show that you are the real domain owner. Many companies can ask you to add a DNS TXT record to your DNS zone, to show that you are the real owner of the domain. That way, later they can do a query and verify it. It is very popular when it comes to webmaster tools. You will need to add such DNS records for Google Seach Console, Bing Webmaster, Yandex Webmaster, and so on. You can also use it to verify your domain for cloud services such as Amazon Web Services, Microsoft Azure, or Google Cloud.
- SPF (Sender Policy Framework). We have a full article about SPF, but in brief, it is an antispam measure. You can use this TXT record to list your allowed outgoing email servers, and other servers can verify them. This prevents spoofing and reduces phishing attacks.
- DKIM (Domain Keys Identified Mail). The DKIM adds encryption to your email communication. Using DKIM, you can sign all outgoing emails and allow receiving servers (like the servers hosted by Gmail) to verify their origins. It also reduces spoofing and phishing attacks by ensuring the integrity of the emails you send.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance). The DMARC adds extra protection based on the results of the DKIM and SPF records. The DMARC records are other TXT records that can set behavior. They indicate what incoming mail servers should do with emails, which come from your domain. It also has a report feature so you can be aware of who, if anybody, is trying to send unauthorized emails on your behalf.
- MTA-STS (Mail Transfer Agent Strict Transport Security). This is another critical DNS security mechanism, designed to enhance email security. Its primary goal is to facilitate end-to-end encrypted communication in email transfer, significantly reducing the risk of man-in-the-middle attacks. By implementing an MTA-STS policy, you’re essentially declaring a commitment to secure email transport and providing a way for sending servers to verify this policy. The MTA-STS policy is defined and made discoverable through TXT records in DNS. This setup ensures that your emails are more securely transmitted, maintaining confidentiality and integrity in communication. Implementing MTA-STS is a proactive step towards fortifying your domain against sophisticated email interception attacks.
Example of a TXT record
Example of a service verification TXT record:
example-site-verification=rXOxyZounnZasA8Z7oaD3c14JdjS9aKSWvsR1EbUSIQ
Example of a SPF TXT record:
example.com TXT 3600 v=spf1 include:_spf.google.com ~allhow
Example of a DKIM TXT record:
selector._domainkey.example.com TXT 7200 v=DKIM1; k=rsa;
p=MIIBIjANBgkqhkiG9wOBAQEFAXOCAQ8AMIIBCxKCAQEAtlOQmjs3Y5diVg6cKpeJNfiWyOV7DXUERY3xvDyOC2DF8X2P+oNsNfuqp/FdffsSMLxyQOe2aj2msqHaX6BoG8ATUfk1pnNhUu8gqphhyMeBOpQRBsDPCPwaLj+SxO42Tbo9jz8yV
//zoTVIJIHe3VKe3DrE22kGT2GcdVQdTR2YLtEV8e4UEgT2pPVmRdpZ
Example of a DMARC TXT record:
example.com TXT 7200 v=DMARC1; p=reject; rua=mailto:contacts@example.com
Example of a MTA-STS record:
TXT record name: _mta-sts.example.com
TXT record value: v=STSv1; id=20230465087777
Challenges and best practices in managing TXT records
Here are the most common challenges that DNS administrators experience with this DNS record:
Syntax error
Accuracy is crucial when dealing with TXT records, as even a single character error can impact their effectiveness. Each string within a TXT record is limited to 255 characters, but a record can contain multiple such strings to accommodate longer data. This feature is particularly useful for configurations that exceed 255 characters. When creating a TXT record with multiple strings, each string should be enclosed in quotation marks and concatenated together in the DNS. Here’s an illustrative example showing how to format a TXT record with two strings:
"example-TXT-record-string-part1-upto-255-characters-3.14159265358979323846264338327950288419716939937510"
"5820974944592307816406286208998628034825342117067982148086513282300664709384460955058223172535940812848111745028410270193852110555964462294895493038196442881097566593344612847"
This format ensures the full content of the TXT record is correctly interpreted without exceeding the individual string limit.
Overlapping records
Servers can have problems with your TXT records if you have created multiple records for the same service. Pay attention to your records to avoid multiple record conflicts.
Update your records
It is a good practice to update your records. SPF, DKIM, and DMARC can get compromised with time and can be ineffective against the threats. Update them on a regular basis.
Maintain documentation about your records
A text record can have a string of data that can be incomprehensible for people. Keep documentation about each TXT record. That way you can easily identify the purpose of each record and know when you can add, delete, or modify any of them.
Implement DNSSEC
Implementing DNSSEC (Domain Name System Security Extensions) is a critical step in enhancing the security of your domain’s DNS records, including TXT records.
DNSSEC acts as a robust authentication tool, adding a layer of verification to all DNS responses. This is particularly important for TXT records, which often contain sensitive data used for domain verification, security protocols, and email authentication (like SPF, DKIM, and DMARC records).
By ensuring the integrity and authenticity of DNS data, DNSSEC makes it much more difficult for attackers to manipulate or poison these DNS queries and responses. Adopting DNSSEC ensures that the information contained in your TXT records is legitimate and unchanged, providing a higher level of confidence in their validity and protecting against certain types of cyber attacks.
Limit the access to your domain
Not everybody in your organization should have access to the DNS settings/zone for domain administration. Only yourself and any employees who are actively involved in administrating your domain should have access.
How to query a TXT record?
Check a TXT record using Linux
- Open the Terminal.
- Type dig example.com TXT. You can change example.com with the domain you would like to probe.
Check using macOS
- Open the Terminal.
- Type dig example.com TXT. You can replace example.com with the domain you would like to probe.
Look it up using Windows
- Open the Command Prompt screen.
- Type nslookup -type=txt example.com. You can replace example.com with the domain you would like to probe.
Online check with DNS tool
You can also use of the multiple online DNS tools out there. For this example, we will use Mxtoolbox.
- Open your browser and head to the MXtoolbox DNS Text lookup tool.
- Write example.com or any other domain that you would like to look up.
Conclusion 🧐
So, what’s the final answer to the question “What is a TXT record”?
It is a truly multipurpose DNS record.
Among other things, it can verify your ownership over your domain and keep both your domain and your email communications safe.
Want to learn about more DNS records and how they can help with site administration? Check out our guide to CNAME records.