A TXT record stores arbitrary text strings under a hostname. It originally allowed free-form notes but is now the carrier for most domain-level metadata: ownership verification with platforms, email authentication policies, and a wide range of service-specific tokens. A single hostname can hold many TXT records.
Why it matters
TXT records are how the wider internet decides whether to trust your domain. SPF lists which servers may send mail for you, DKIM keys let receivers verify message signatures, and DMARC tells inboxes what to do when SPF or DKIM fails. Get these wrong and legitimate mail lands in spam, while attackers can spoof your domain. SaaS platforms also use TXT records to prove you control the domain before issuing certificates or enabling features.
How to check
- Inventory every
TXTat the apex and on_dmarc,_domainkey, and provider-specific subdomains withdig TXT. - Keep SPF under the 10 DNS lookup limit defined in RFC 7208 — exceeding it causes SPF to fail open.
- Use one SPF record per domain; multiple SPF strings are an automatic permerror.
- Publish a separate DKIM selector per provider and rotate keys when staff or vendors change.
- Set a DMARC policy at
_dmarc.example.com, start atp=nonefor monitoring, then move toquarantineorreject. - Remove stale verification tokens when vendors change; old records are clutter and a soft information leak.