TXT Records: SPF, DKIM, DMARC and Beyond
Learn what TXT records are, how they are used for SPF, DKIM, DMARC and domain verification, and how to avoid common TXT record mistakes.
Introduction
TXT records are DNS records that store text values for a domain or subdomain. They are widely used for email authentication, domain verification, security policies and service configuration.
For many domain owners, TXT records become important when setting up SPF, DKIM, DMARC, Google Workspace, Microsoft 365, website builders, SSL validation or third-party SaaS platforms. A small TXT record mistake can cause email authentication failures, verification errors or deliverability problems.
Quick answer
A TXT record stores text-based information in DNS. Common TXT records include SPF records for allowed senders, DKIM public keys for email signatures, DMARC policies for email authentication handling, and verification records for services like Google, Microsoft, SSL providers and SaaS platforms.
What is a TXT record?
A TXT record is a DNS record that stores text data for a domain or subdomain. Other systems can read this text to verify ownership, check email authentication, or apply domain-related policies.
example.com TXT "v=spf1 include:_spf.example.net ~all"
In this example, the TXT record contains an SPF policy that tells mail servers which systems are allowed to send email for the domain.
TXT records are flexible, but the value must match the exact format required by the service using it.
What TXT records are used for
SPF records
TXT records define which mail servers are allowed to send email for a domain.
DKIM records
TXT records store public keys used to verify signed outgoing email.
DMARC records
TXT records define a domain’s DMARC policy and reporting addresses.
Domain verification
TXT records prove domain ownership to services such as Google, Microsoft, SSL providers, SaaS tools and website platforms.
Security and policy records
Some security standards and provider features use TXT records for reporting, validation or policy discovery.
Service configuration
Third-party platforms may ask you to add TXT records to connect or verify a domain.
TXT records for SPF
SPF is published as a TXT record, usually at the root domain. It lists the servers or providers allowed to send email for the domain.
example.com TXT "v=spf1 include:_spf.google.com ~all"
A domain should normally have only one SPF TXT record. Multiple SPF records can cause SPF validation to fail.
Do not copy this example directly unless your domain actually sends mail through that provider. SPF records must match your real sending services.
TXT records for DKIM
DKIM records store public keys used to verify that outgoing email was signed by an authorized mail system. DKIM records are usually published under a selector hostname.
selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE"
Your email provider usually gives the DKIM selector and value. The selector may be named default, google, selector1, selector2, k1 or something provider-specific.
DKIM values can be long. Make sure the full key is saved correctly and not truncated by the DNS panel.
TXT records for DMARC
DMARC is published as a TXT record at _dmarc.yourdomain.com. It tells receiving mail servers how to handle messages that fail SPF or DKIM alignment.
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
A p=none policy is often used for monitoring. Stronger policies such as quarantine or reject should be applied carefully after reviewing legitimate mail sources.
TXT records for domain verification
Many services ask you to add a TXT record to prove that you control a domain. This is common for email providers, analytics tools, website builders, SSL validation and SaaS platforms.
google-site-verification=example_token
MS=ms12345678
provider-verification=example_token
Verification TXT records usually do not affect website routing or email delivery, but removing them too early can cause a connected service to lose verification.
Why this matters
TXT records matter because they are often used to prove domain ownership and protect email identity. Incorrect TXT records can cause SPF, DKIM or DMARC failures, prevent a provider from verifying your domain, or make email troubleshooting harder.
TXT records do not usually point a website to a server. Website routing is normally handled by A, AAAA or CNAME records.
How to check TXT records
Use DNS Lookup to see TXT records published for a domain or subdomain. For email authentication, use focused tools such as SPF Checker, DKIM Checker and DMARC Checker.
What to compare
When checking TXT records, compare these five values.
Hostname
The exact hostname where the TXT record should exist, such as example.com, _dmarc.example.com or selector1._domainkey.example.com.
Current TXT value
The text currently returned by public DNS.
Expected provider value
The exact value required by your email provider, SaaS platform or verification service.
Record purpose
Whether the TXT record is for SPF, DKIM, DMARC, verification or another service.
Active nameserver
The DNS provider currently controlling the live DNS zone.
If a TXT record is not visible publicly, first confirm that it was added at the active DNS provider and under the correct hostname.
Check TXT records now
Use DNS Lookup to inspect TXT records for your domain, SPF, DKIM, DMARC and verification setup.
Common TXT record problems
Multiple SPF records
HighA domain should normally publish only one SPF record. Multiple SPF TXT records can cause SPF validation to fail.
Next step: Merge allowed senders into one valid SPF record.
TXT record added to the wrong hostname
HighThe record may be added at example.com when it should be at _dmarc.example.com or selector._domainkey.example.com.
Next step: Check the exact hostname required by the provider.
DKIM key is missing or truncated
HighA DKIM public key may be incomplete, split incorrectly or not published under the expected selector.
Next step: Copy the full DKIM value from your email provider and verify the selector.
DMARC record missing
MediumThe domain does not publish a DMARC policy.
Next step: Add a DMARC TXT record at _dmarc.example.com and start with a monitoring policy if appropriate.
Verification record not found
MediumA service cannot verify the domain because the TXT record is missing, incorrect or added at the wrong provider.
Next step: Compare the exact token with the provider instructions and check active nameservers.
SPF record too complex
MediumSPF can fail if it exceeds DNS lookup limits or includes too many unnecessary providers.
Next step: Review includes and remove old sending services.
Old verification records remain
LowOld TXT records from unused services may clutter the DNS zone and make audits harder.
Next step: Remove only records you are sure are no longer required.
Quotes or formatting are wrong
MediumSome DNS panels handle quotes, line splitting or long TXT values differently.
Next step: Confirm the value saved in DNS matches what public DNS returns.
How to configure or fix TXT records
-
Identify the record purpose
Confirm whether the TXT record is for SPF, DKIM, DMARC, verification, SSL validation or another service.
-
Confirm the exact hostname
TXT records may be required at different hostnames, such as the root domain, _dmarc, or a DKIM selector under _domainkey.
example.com _dmarc.example.com selector1._domainkey.example.com -
Copy the exact provider value
Use the exact value from your email provider, SaaS platform or verification service. Do not rewrite tokens or keys manually.
-
Confirm where DNS is hosted
Check active nameservers and add the TXT record at the provider controlling the live DNS zone.
-
Avoid duplicate SPF records
If adding SPF, update the existing SPF TXT record instead of creating a second one.
-
Save and verify publicly
After saving the record, use DNS Lookup or the relevant checker to confirm that public DNS returns the expected value.
-
Keep required verification records
Do not remove verification records unless you are sure the connected service no longer needs them.
TXT record examples
example.com. 3600 IN TXT "v=spf1 include:_spf.example.net ~all"
selector1._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE"
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
example.com. 3600 IN TXT "google-site-verification=example_token"
dig example.com TXT
dig _dmarc.example.com TXT
dig selector1._domainkey.example.com TXT
These are examples only. Replace hostnames, providers, tokens and keys with values from your email or service provider.
TXT records and email deliverability
TXT records do not guarantee inbox placement, but they are a key part of email authentication. SPF, DKIM and DMARC help receiving mail servers understand whether a message is authorized and aligned with the sending domain.
If email delivery is poor, TXT records are only one part of the investigation. Also check MX records, reverse DNS, blacklist status, sending reputation, bounce messages and email content.
TXT records during migrations
TXT records are often forgotten during DNS and hosting migrations. A website may continue working after a migration, but email authentication or domain verification may fail if TXT records were not copied.
Before changing nameservers or moving DNS zones, copy:
- SPF records
- DKIM records
- DMARC records
- Google/Microsoft verification records
- SSL validation records
- SaaS verification records
- any provider-specific TXT records still in use
After migration, compare the old DNS zone with the new live DNS zone.
Frequently asked questions
What is a TXT record used for?
TXT records store text values used for email authentication, domain verification, security policies and provider-specific configuration.
Can a domain have multiple TXT records?
Yes. A domain can have multiple TXT records for different purposes. However, it should normally have only one SPF record.
Is SPF a TXT record?
Yes. SPF is published as a TXT record, usually at the root domain.
Where is a DMARC TXT record added?
A DMARC record is added at _dmarc.yourdomain.com.
Where is a DKIM TXT record added?
A DKIM record is added at a selector hostname under _domainkey, such as selector1._domainkey.example.com.
Can TXT records break my website?
Usually no. Website routing is normally controlled by A, AAAA or CNAME records. However, wrong TXT records can affect email authentication or provider verification.
Why is my TXT record not found?
Common reasons include adding it at the wrong hostname, editing DNS at the wrong provider, waiting for cache propagation, or copying the value incorrectly.
Should I remove old TXT records?
Only remove TXT records when you are sure the related service is no longer used. Removing active verification or authentication records can break connected services.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all DNS & Domain guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!