What is a TXT record?

Home / Everything About / Everything About Domains / What is a TXT record?

If you have read the chapter on DNS record types, you know that each record in your DNS zone has a specific job. A records point to IP addresses. MX records handle email routing. A TXT record does neither. It holds a line of plain text that tells other systems something about your domain. That text might say "this email provider can send on my behalf" or "yes, I own this domain" or "here is the key to verify my messages."

Think of it like a note pinned to your front door. It does not change how your house works. But anyone who walks up and reads it learns something important about who lives there and what they have authorized.

What does a TXT record look like?

A TXT record has four parts, just like other DNS records. Here is what each one does.

  • Hostname (name) is the domain or subdomain the record applies to. For your main domain, this is usually "@" or left blank. For a subdomain like mail.yourdomain.com, the hostname would be "mail"
  • Type tells the DNS system this is a TXT record
  • Value is the text content itself. This can be a verification code, an email policy, a public key, or any other string up to 255 characters per segment
  • TTL (time to live) controls how long DNS servers cache this record before checking for updates. The default is usually 3600 seconds, which equals one hour

Here is what a simple TXT record looks like in a DNS settings panel.

  • Hostname set to @
  • Type set to TXT
  • Value set to "v=spf1 include:_spf.example.com ~all"
  • TTL set to 3600

That example is an SPF record, one of the most common types of TXT record. The sections below explain what SPF means and how other email security records work.

How is a TXT record used for domain verification?

This is the simplest use of a TXT record. A service needs proof that you own a domain. You prove it by adding a record that only the domain owner could add.

Here is how the process works.

  1. You sign up for a service and tell it your domain name
  2. The service gives you a unique verification code
  3. You log into your DNS settings and add a TXT record with that code as the value
  4. The service checks your DNS for the TXT record
  5. If it finds the code, verification is complete

Why does this work? Because only someone with access to your DNS settings can add records there. The verification code is meaningless on its own. It just proves you have the keys to the DNS zone.

What is an SPF record?

What SPF stands for

SPF stands for Sender Policy Framework. It is a TXT record that lists which mail servers are allowed to send email using your domain name. When someone receives an email from you, their mail server checks your SPF record to see if the sending server is on the approved list.

What an SPF record does

Without an SPF record, anyone can send an email that looks like it came from your domain. This is called email spoofing. It is one of the oldest tricks in the phishing playbook, and it works because the receiving server has no way to check if the sender is who they claim to be.

An SPF record fixes that. It is like giving the post office a list of couriers who are allowed to send packages on your behalf. If a package shows up from a courier not on the list, the post office knows something is off.

Here is an example.

v=spf1 include:_spf.mailprovider.com ~all

This says three things.

  • v=spf1 identifies this as an SPF record
  • include:_spf.mailprovider.com means "the servers listed by this mail provider are allowed to send email for my domain"
  • ~all means "if an email comes from any other server, treat it as suspicious but do not reject it outright"

If the "~all" were changed to "-all," the rule would be stricter. It would tell receiving servers to flat-out reject anything not on the approved list.

What is a DKIM record?

What DKIM stands for

DKIM stands for DomainKeys Identified Mail. Where SPF checks who sent the email, DKIM checks whether the email was tampered with on the way to your inbox.

How the public key works

Think of DKIM like a wax seal on a letter. When your mail server sends an email, it stamps it with a hidden signature. That signature is created using a private key that only your server knows. The matching public key sits in a TXT record on your domain, visible to anyone who looks.

When the receiving server gets the email, it reads your public key from DNS and checks it against the signature. If they match, the email is verified as authentic and untouched. If they do not match, the email may have been altered somewhere along the way.

You do not need to understand the key itself. Your email provider generates it and tells you exactly what to paste into your DNS settings. The DKIM TXT record usually lives on a subdomain that looks something like "selector._domainkey.yourdomain.com."

What is a DMARC record?

How DMARC ties SPF and DKIM together

SPF checks where the email came from. DKIM checks that it was not altered. But what happens when one of those checks fails? Without DMARC, each receiving server decides on its own. Some will send the email to spam. Some will let it through. Some will reject it. You have zero control.

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is a TXT record that puts you in charge. You set the rules for what happens when an email fails SPF or DKIM.

What the DMARC policies mean

A DMARC record is added as a TXT record on the subdomain "_dmarc.yourdomain.com." Here is a simple example.

v=DMARC1; p=quarantine; rua=mailto:reports@yourdomain.com

This tells receiving servers three things.

  • v=DMARC1 identifies this as a DMARC record
  • p=quarantine is the policy. It tells the receiving server to send emails that fail authentication to the spam folder instead of the inbox
  • rua=mailto:reports@yourdomain.com tells servers to send authentication reports to this email address so you can see who is sending email using your domain

The policy field (p=) has three options.

  • none means take no action, just send reports. This is useful when you are first setting up DMARC and want to monitor before enforcing
  • quarantine means send failing emails to spam
  • reject means block failing emails entirely so they never reach the recipient

Together, SPF, DKIM, and DMARC form three layers of email protection. SPF is the guest list. DKIM is the wax seal. DMARC is the bouncer who decides what happens when someone fails the first two checks. If you are setting up custom email with your domain, all three records are important.

What else can TXT records do?

Email security and domain verification are the two biggest uses, but TXT records show up in other places too.

  • Search engine verification. Search engines ask you to add a TXT record to prove you own a domain before giving you access to search performance data
  • Security policies. Some organizations use TXT records to publish security contact information or certificate authority preferences
  • Service authentication. Analytics platforms, advertising services, and other tools often require a TXT record to link your domain to your account
  • Custom metadata. Any text-based information that other servers or services need to read about your domain can be stored in a TXT record

TXT records are the Swiss army knife of DNS. If a service needs to verify, authenticate, or communicate something about your domain, chances are it uses a TXT record to do it.

How do you add a TXT record?

Adding a TXT record follows the same steps as adding any other DNS record. If you have added an A record or MX record before, this will feel familiar.

  1. Log in to the DNS management panel where your domain's nameservers are set. This is usually your domain registrar or your hosting provider
  2. Find the DNS records section or DNS zone editor
  3. Click the option to add a new record
  4. Select TXT as the record type
  5. Enter the hostname. Use "@" for the root domain or a specific subdomain name if the service requires it
  6. Paste the exact value provided by the service you are setting up. Do not retype it by hand
  7. Set the TTL. If you are unsure, use the default value your provider suggests or set it to 3600
  8. Save the record

One thing to keep in mind. DNS changes can take anywhere from a few minutes to 48 hours to spread across the internet. This is called DNS propagation. During this time, some servers may still see the old settings while others see the new ones. For more detail on this process, read the chapter on how DNS works.

What are common TXT record mistakes?

TXT records are simple to add, but a few repeated errors trip people up.

  • Pasting the wrong value. TXT record values are often long strings of random characters. Miss one character, add an extra space, and the whole thing breaks. Always copy and paste directly from the service that gave you the value
  • Multiple SPF records on the same domain. You can only have one SPF record per domain. If you need to authorize multiple mail providers, combine them into a single SPF record using multiple "include" statements. Two separate SPF records will cause unpredictable behavior and email delivery failures
  • Adding the record to the wrong hostname. Some TXT records go on the root domain (@), while others go on a specific subdomain like "_dmarc" or "selector._domainkey." Put the record in the wrong spot and the service looking for it will not find it
  • Forgetting to save. This sounds basic, but many DNS panels require you to click a save or confirm button after entering the record. If you close the page before saving, the record is not created
  • Not waiting for propagation. After adding a TXT record, the verification service may not find it right away. Give it at least 15 to 30 minutes before retrying the check

What happens when TXT records are wrong or missing?

The consequences depend on which TXT record is affected.

  • If your SPF record is missing or incorrect, your emails are more likely to land in spam. Receiving servers have no way to confirm your mail server is authorized, so they play it safe
  • If your DKIM record is missing, your emails lack a verifiable signature. Some recipients will still accept them, but spam filters become more suspicious
  • If your DMARC record is missing, you have no control over what happens to emails that fail SPF or DKIM checks. Each receiving server makes its own call
  • If a verification TXT record is removed, the service that required it may revoke your access or show a warning that domain ownership is no longer confirmed

None of these issues will take your website offline. TXT records do not affect how your site loads or how visitors reach it. But missing or broken TXT records can hurt your email deliverability and your ability to use services tied to your domain.

How WEMASY handles TXT records

When you connect a custom domain to your WEMASY website, WEMASY walks you through the DNS records you need to add. If your plan includes email features or if you are verifying your domain for search tools, WEMASY tells you exactly which TXT records to create, including the hostname and the value to paste.

WEMASY handles SSL and hosting on its end, so the TXT records you add are focused on verification and email security rather than routing. Once your records are in place and DNS has propagated, everything connects automatically. See what is included in each plan on the WEMASY pricing page.

What comes next

Now that you understand how TXT records work for verification and email security, the next chapter covers NS records. NS records control which name servers are responsible for your domain's entire DNS zone, and they sit at the foundation of how all your other records are found. For an overview of all record types and when to use each one, see the chapter on DNS record types.

Frequently asked questions

Can you have multiple TXT records on the same domain?

Does a TXT record affect how fast your website loads?

How long does a TXT record take to start working?

What is the maximum length of a TXT record value?

Do you need TXT records if you do not send email from your domain?