What Is TXT record in Networking?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
A TXT record is like a note attached to your website's domain name. It lets you add text information that other services can read. This is often used to prove you own a domain, set up email security, or configure policies.
Commonly Confused With
An MX record specifies the mail servers responsible for receiving email for a domain. A TXT record holds text information for policies, verification, and other purposes. MX records are for delivery routing, while TXT records are for data like SPF and DKIM.
MX record: mail.company.com points to the mail server IP. TXT record: gives the SPF rule that only mail.company.com can send email.
A CNAME record maps one domain name to another (alias). A TXT record stores text data directly. CNAME does not hold text values; it redirects DNS queries. TXT records are not aliases.
CNAME: www points to example.com (alias). TXT: holds the verification code 'abc123' at the root.
An AAAA record maps a hostname to an IPv6 address. A TXT record contains arbitrary text information. AAAA is for IP address resolution, while TXT is for metadata.
AAAA: example.com -> 2001:db8::1. TXT: example.com -> 'v=spf1 include:spf.example.com -all'.
Must Know for Exams
For general IT certifications, TXT records appear primarily in networking and security domains. In CompTIA Network+ (N10-008), DNS is a core objective, and candidates must know the various record types, including TXT. The exam expects you to understand that TXT records hold text information for services like email security and domain verification. Questions may ask which record type is used for SPF or DKIM, or what a TXT record's purpose is. Multiple-choice questions often list several DNS record types, and you must select TXT for policy-related data.
In CompTIA Security+ (SY0-601), TXT records relate to email security controls. The exam covers SPF, DKIM, and DMARC under Objective 3.2 (Secure network architectures). Candidates must know that these protocols rely on TXT records to publish policies. A typical question might describe a scenario where an organization wants to prevent email spoofing and asks which DNS record to configure. Knowing that TXT holds the SPF policy is necessary.
For the Cisco CCNA (200-301), while DNS is not a major focus, understanding DNS record types supports broader networking knowledge. TXT records may appear in questions about network services or troubleshooting email issues. In Microsoft exams like MS-900 (Microsoft 365 Fundamentals) or MD-102 (Endpoint Administrator), TXT records are critical for domain setup when integrating Office 365 or Azure AD. These exams may present a scenario where an admin needs to verify domain ownership or configure email authentication, and you must identify TXT record as the solution.
The exam trap often involves confusing TXT records with other DNS records like MX (which routes email) or A (which maps hostnames to IPs). Another trap is forgetting that TXT records have a 255-character limit per string and must be properly quoted. Some questions may ask about the format of a SPF record, and you need to recall that it starts with "v=spf1". Knowing that DMARC uses a subdomain like _dmarc.example.com is a common focus.
Practical exam questions might require you to interpret a DNS zone file snippet and identify a TXT record, or to choose the correct record type for a given purpose. Understanding propagation times and TTL values is also tested. For scenario-based questions, you might be asked why a domain verification failed, and the answer could be that the TXT record was not yet propagated or was misconfigured. Overall, TXT records are a moderate but consistent topic across several certifications, and careful reading of the question context is key.
Simple Meaning
Imagine your website's domain name is like the address of your house. A TXT record is like a note you pin to your front door. That note might say "Google: Please verify this is my house" or "Email senders: Only send mail if it has a special stamp." The note doesn't change how people find your house, but it tells other services important information about how to interact with you.
When you use a service like Google Workspace or Microsoft 365, they often ask you to add a TXT record to prove you own the domain. This stops someone else from pretending to own your domain and using it for their own purposes. It's a simple way to prove ownership without sharing passwords.
Email security is another major use. TXT records help implement SPF, DKIM, and DMARC protocols. SPF says which mail servers are allowed to send email for your domain, helping prevent spam and phishing. DKIM adds a digital signature to emails so recipients can verify they actually came from you. DMARC tells email systems what to do if an email fails these checks. All of these use TXT records to hold the necessary information.
TXT records can also be used for things like informing clients about your domain's policies, such as the allowed email sending IP addresses or encryption requirements. They are flexible because they can hold any text up to 255 characters per string, and multiple strings can be combined for longer data. When you set up a TXT record in your DNS control panel, you create a new entry with a name (like "@" for your main domain or "_domainkey" for DKIM), a type (TXT), and a value (the text string). After you save it, it takes time to propagate across the internet's DNS servers, usually from a few minutes to 48 hours.
Full Technical Definition
A TXT record is a resource record in the Domain Name System (DNS) that allows an administrator to associate arbitrary human-readable text with a hostname or domain name. Defined in RFC 1035, the TXT record format consists of one or more character strings, each up to 255 octets in length. When multiple strings are present, they are concatenated by the resolver, allowing for longer data payloads. TXT records are stored in zone files and served by authoritative DNS servers.
TXT records serve multiple purposes in modern networks but are most commonly used for domain ownership verification and email security protocols. For domain verification, service providers like Google, Microsoft, or Amazon often generate a unique token string and ask the domain owner to add it as a TXT record. When the service queries the domain's DNS and finds the token, it confirms administrative control without requiring a password.
In email security, TXT records are essential for three protocols. SPF (Sender Policy Framework, RFC 7208) uses a TXT record at the domain level to list authorized sending mail servers. The record typically starts with "v=spf1" followed by mechanisms like "include:" (to reference other domains), "ip4:" (to allow specific IPv4 addresses), and "all" to define the default action (e.g., "-all" to reject, "~all" for soft fail). DKIM (DomainKeys Identified Mail, RFC 6376) uses a different selector subdomain (e.g., s1._domainkey.example.com) and holds a public key. The record contains "v=DKIM1; p=" followed by the Base64-encoded public key. Receiving mail servers fetch this record to verify the digital signature in email headers.
DMARC (Domain-based Message Authentication, Reporting & Conformance, RFC 7489) uses a TXT record at the subdomain _dmarc.example.com. It specifies policies for handling emails that fail SPF or DKIM checks, reporting addresses (rua, ruf), and enforcement levels (p=none, p=quarantine, p=reject). This record is found by querying _dmarc.yourdomain.com.
From a technical implementation standpoint, DNS servers handle TXT records like any other record type. When a resolver receives a query for a TXT record, it returns the text string(s) in the answer section. Command-line tools like `dig example.com TXT` or `nslookup -type=TXT example.com` retrieve these records. In BIND zone files, a TXT record is written as: `@ IN TXT "v=spf1 include:_spf.google.com ~all"`. The quote marks delimit each string. Multiple strings can be placed consecutively for longer data, but each is limited to 255 characters. The total combined length should not exceed 2048 characters in practice for compatibility.
TXT records have a TTL (Time to Live) value that controls how long resolvers cache the record. A shorter TTL (e.g., 300 seconds) is used during changes to speed up propagation. Deployment requires careful planning to avoid errors like syntax mistakes, missing quotes, or exceeding length limits. Validating the record with online tools or command-line queries before finalizing is a standard best practice.
Real-Life Example
Think of a university campus that has a main building (your domain name). The building has a bulletin board (the DNS zone) where anyone can post notices. A TXT record is like an official notice pinned to that board. The notice might say: "Only delivery vans with a green sticker are allowed to deliver packages here." This sets a policy that the security guard (mail server) reads before letting a van (email) through.
Now imagine you want to open a branch office and need to prove you own the main building to the city council. The council gives you a code, like "X9K2F7". You pin that code on your bulletin board. The council sends someone to check the board, sees the code, and confirms you are the owner. This is exactly how domain verification works using TXT records.
Similarly, think of the building's intercom system. You can program a special number that must appear on any package label for the package to be accepted. That number is like a DKIM public key. When a courier arrives with a package, the security guard checks the label against the number on your bulletin board. If they match, the package is accepted. If not, it's rejected or sent to the lost-and-found (quarantine).
Finally, imagine you want to tell all couriers what to do if a package comes without the proper label. You pin another notice: "If the package doesn't have the right label, return it to sender. Send me a report list of rejected packages every Friday." That's the DMARC policy telling mail servers how to handle unauthenticated email and where to send reports. Each of these notices is a different TXT record, all on the same bulletin board, each serving a specific purpose.
Why This Term Matters
TXT records are a foundational tool for domain security and management in IT. They enable domain owners to set policies for email authentication, which directly reduces the risk of phishing, spoofing, and spam. Without TXT records, attackers could send emails that appear to come from your domain, damaging your organization's reputation and potentially tricking customers or employees. SPF, DKIM, and DMARC all depend on TXT records to function, making them essential for email deliverability and security.
From an administrative perspective, TXT records provide a simple way to verify domain ownership during vendor onboarding. When you sign up for services like cloud hosting, email platforms, or analytics tools, the provider often requires a TXT record to confirm you control the domain. This prevents unauthorized parties from hijacking your domain for services like sending spam or hosting fake sites.
In a professional IT environment, misconfigured TXT records can cause email delivery failures, missed verification deadlines, or security gaps. For example, if an SPF record is too restrictive, legitimate emails might be rejected. If DMARC is set to "reject" without proper SPF and DKIM alignment, legitimate email can be lost. IT professionals must understand how to construct, test, and maintain these records. TXT records also have a practical size limit and require careful handling of quotes and character encoding, especially when deploying DKIM keys long keys.
Beyond email and verification, TXT records are used for other policies like indicating encryption capabilities (e.g., MTA-STS) or validating server certificates. Their flexibility means they can be adapted for new purposes as network requirements evolve. For IT certification holders, knowing how to read, create, and troubleshoot TXT records is a practical skill that supports daily operations, incident response, and system integration tasks.
How It Appears in Exam Questions
Exam questions about TXT records typically fall into three patterns: identification, purpose, and configuration.
Identification questions present a list of DNS record types and ask which one is used for a specific function. For example: "Which DNS record type is used to store SPF records?" The correct answer is TXT. Another variant: "An administrator needs to add a text entry to a domain for domain verification. Which record type should they add?" Again, TXT.
Purpose questions describe a scenario and ask what the TXT record does. For instance: "A company wants to reduce email spoofing. They configure an SPF record as a TXT record. What does this record do?" The answer explains that it lists authorized mail servers. Another example: "A web developer adds a TXT record with a verification code provided by a third-party service. What is the purpose of this?" It proves domain ownership.
Configuration questions often involve reading a DNS zone file or choosing the correct syntax. A sample: "Given the following DNS zone entry: example.com. IN TXT 'v=spf1 include:_spf.example.com ~all', what is the purpose of this record?" You must identify it as an SPF record. Another format shows a partial configuration and asks what is missing. For example, a DKIM TXT record without the proper selector subdomain would be incorrect.
Troubleshooting questions also appear. For example: "A company's emails are being marked as spam. The DNS administrator checks and finds the SPF record is missing. What record type should exist?" The answer is TXT. Or: "Domain verification fails after adding the TXT record. What is the most likely reason?" Options might include incorrect record value, not waiting for propagation, or wrong hostname.
Scenario-based performance questions might ask you to order steps for setting up email authentication, with adding a TXT record as one step. Or they might require you to choose between multiple TXT records to fix a DMARC policy issue. In all cases, understanding that TXT records are text-based and used for policies and verification is the key.
Practise TXT record Questions
Test your understanding with exam-style practice questions.
Example Scenario
You work as an IT support specialist for a small business. The company wants to start using Microsoft 365 for email. Part of the setup requires you to prove you own the domain "company.com". Microsoft provides a verification string, like "MS=ms12345678". You log into your DNS management panel and add a new TXT record with host "@" (for the root domain) and value "MS=ms12345678". After saving, you wait about 30 minutes for propagation. Then you click "Verify" in Microsoft 365, and it checks the DNS. It finds the TXT record, confirms the domain ownership, and the setup proceeds.
Next, you need to configure email security. You create an SPF record as a TXT record for company.com: "v=spf1 include:spf.protection.outlook.com -all". This tells receiving mail servers that only Microsoft 365's servers are allowed to send email for your domain. You also create a DKIM record using a selector like "selector1". The record is added at "selector1._domainkey.company.com" with a public key value like "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDE...". This allows recipients to verify the digital signature on outgoing mail.
Finally, you set up a DMARC record at "_dmarc.company.com" with policy "v=DMARC1; p=quarantine; rua=mailto:dmarc@company.com". This tells mail servers to quarantine emails that fail authentication and send daily reports to your email. After all records are added, you test using command-line tools. You run `dig company.com TXT` and see the SPF record. You run `dig selector1._domainkey.company.com TXT` and confirm the DKIM key is present. Your company's email is now more secure, and domain verification is complete. This scenario shows how TXT records are used in a typical work setting.
Common Mistakes
Thinking TXT records can be used for any purpose without understanding their limitations.
TXT records have a 255-character limit per string and are not designed for large data or executable code. Using them for arbitrary content may cause truncation or parsing errors.
Use TXT records only for short text strings like tokens, policies, or keys. For larger data, consider other DNS record types or external storage.
Forgetting to enclose the TXT record value in quotes when editing a zone file.
Without quotes, the DNS parser may treat spaces as record separators, breaking the record or causing syntax errors.
Always place the entire text value inside double quotes, e.g., "v=spf1 include:_spf.example.com ~all".
Confusing TXT records with MX records for email routing.
MX records specify which mail servers receive email for a domain, while TXT records hold policies about email sending or verification. Using the wrong type will not work.
Use MX records for mail server addresses and TXT records for SPF, DKIM, DMARC, and other text-based policies.
Omitting the subdomain for DKIM or DMARC records.
DKIM uses a selector subdomain like s1._domainkey.example.com, and DMARC uses _dmarc.example.com. Adding them at the root domain level will not be found by mail servers.
Create the TXT record at the exact subdomain required by the protocol, such as 's1._domainkey' for DKIM or '_dmarc' for DMARC.
Exam Trap — Don't Get Fooled
{"trap":"In exam questions, you might be asked which DNS record type is used for SPF, and some options include 'MX' or 'CNAME' because they are also related to email. Learners sometimes pick MX because they associate it with email routing.","why_learners_choose_it":"MX records are directly responsible for email delivery, so it is easy to mistakenly think they also handle email security policies.
The word 'policy' may not immediately link to TXT.","how_to_avoid_it":"Remember that SPF, DKIM, and DMARC all require TXT records to store text policies. MX records only tell where to send mail, not who can send it.
When you see a question about email security or domain verification, the answer is TXT."
Step-by-Step Breakdown
Determine the purpose of the TXT record
Identify whether you need domain verification, SPF, DKIM, DMARC, or another policy. This determines the exact hostname and value to use.
Access the DNS management interface
Log into your domain registrar or DNS hosting provider (e.g., GoDaddy, Cloudflare, AWS Route 53). Locate the DNS settings or zone editor.
Add a new TXT record
Choose record type TXT. For the host/name, enter the appropriate subdomain (e.g., @ for root, or _dmarc for DMARC, or selector._domainkey for DKIM).
Enter the text value
Paste the exact text string provided by the service or required by the protocol. For SPF, it starts with 'v=spf1'. For DKIM, it starts with 'v=DKIM1; p='. Ensure quotes are used if manually editing a zone file.
Set the TTL (Time to Live)
Choose a TTL value. A shorter TTL (e.g., 300 seconds) is recommended during initial setup to allow quicker propagation if you need to make changes. Once finalized, a longer TTL (e.g., 3600) reduces DNS query load.
Save and verify the record
Click save. Then use command-line tools like `dig` or `nslookup` to query the record. For example: `dig example.com TXT` to see the SPF record. Confirm the value matches exactly.
Wait for propagation
DNS changes take time to propagate globally due to caching. It can take from a few minutes to 48 hours. During this time, the record may not be visible from all locations. Proceed to verification only after sufficient time.
Practical Mini-Lesson
TXT records are a core DNS record type that every IT professional should know how to configure and troubleshoot. In practice, you will encounter them most often when setting up email authentication or proving domain ownership for third-party services. Let us walk through the practical aspects.
First, understand that TXT records are stored in DNS zone files. A typical zone entry looks like: `@ IN TXT "v=spf1 include:_spf.google.com ~all"`. The `@` refers to the root domain, `IN` means Internet class, and `TXT` is the record type. The value in quotes is the text string. If the text is longer than 255 characters, you can split it into multiple quoted strings, but they will be concatenated. For example: `"first part" "second part"`. Some providers automatically handle this.
When configuring SPF, the record must start with "v=spf1" and can include mechanisms like `ip4:` for specific IPs, `include:` to reference another domain's SPF record, and `all` to define the default action. The `-all` means hard fail (reject), `~all` means soft fail (tag as suspicious), and `?all` means neutral. Be careful not to add more than 10 DNS lookups per SPF record, as many receiving servers will reject it. You can use online SPF validators to test your record.
For DKIM, you need to generate a public-private key pair using a tool or your email server. The public key goes into the TXT record at a unique selector subdomain. The selector is a name you choose, like `s1`, so the full hostname becomes `s1._domainkey.yourdomain.com`. The record value includes the key type and Base64-encoded key, for example: `"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDE..."`. The private key is kept on your mail server and used to sign outgoing messages.
DMARC is set at `_dmarc.yourdomain.com` and can have policies like `p=none` (monitor only), `p=quarantine` (send to spam), or `p=reject` (block). You can also add reporting addresses using `rua` (aggregate reports) and `ruf` (forensic reports). Start with `p=none` to observe, then tighten gradually.
Common pitfalls include exceeding the 255-character string limit, forgetting the quotes, and using the wrong hostname. Always double-check the exact value and hostname required by the service. Use tools like `dig TXT yourdomain.com` to verify. Propagation delays can cause frustration, so always wait and check from multiple locations.
What can go wrong? A typo in the SPF record can cause legitimate emails to be rejected. A missing DKIM selector can break email signature verification. An overly strict DMARC policy can block all email if SPF and DKIM are not properly aligned. Always test changes in a staging environment or with a small subset of users first.
TXT records are straightforward but require attention to detail. Mastering them will help you maintain email deliverability and security, and they are a common task in real-world IT support and administration.
Memory Tip
Think: 'TXT = Text', it stores text for policies, verification, and keys. Not for routing (MX) or addresses (A/AAAA).
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
N10-009CompTIA Network+ →200-301Cisco CCNA →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)SY0-601SY0-701(current version)Related Glossary Terms
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
Frequently Asked Questions
Can I have multiple TXT records for the same domain?
Yes, you can have multiple TXT records for the same domain or subdomain. Each serves a different purpose, such as one for SPF, one for DKIM, and one for domain verification.
Does a TXT record affect website loading speed?
No, TXT records are only queried when specifically requested, such as during email authentication or domain verification. They do not affect normal website loading.
What happens if my TXT record is missing a semicolon or has a typo?
A typo can cause the protocol to fail. For example, a missing semicolon in a DKIM record can prevent signature verification. Always double-check the exact syntax required.
How long does it take for a TXT record to become active?
Propagation time depends on the TTL set for the record and caching by DNS resolvers. It can range from a few minutes to 48 hours. Using a low TTL (300 seconds) speeds up initial propagation.
Can I use a TXT record for a subdomain?
Yes, you can add TXT records for any subdomain, such as mail.example.com or _dmarc.example.com. Use the full hostname in the record's name field.
Is there a limit on how much text a TXT record can hold?
Each TXT record can hold multiple strings of up to 255 characters each. The total combined length is recommended to stay under 2048 characters for compatibility. Longer data may need to be split across multiple strings.
Summary
A TXT record is a versatile DNS resource record that stores text information for a domain. It is primarily used for domain ownership verification and email authentication protocols including SPF, DKIM, and DMARC. Understanding TXT records is essential for IT professionals who manage DNS settings, because misconfigurations can lead to email delivery failures or security gaps.
In the context of IT certifications, TXT records appear in CompTIA Network+, Security+, and Microsoft 365 exams. You must recognize that TXT records are the correct choice for storing policy strings and verification tokens, as opposed to MX or CNAME records. Exam questions often ask you to identify the purpose or proper configuration of a TXT record in a given scenario.
The key takeaway is that TXT records hold text, not addresses or routing information. They are simple to set up but require careful attention to syntax, length limits, and propagation times. When deploying email security, always start with a monitoring policy and test thoroughly. By mastering TXT records, you ensure that your domain is properly verified and that email communications remain secure and deliverable.