What is a TXT Record in DNS?

Have you ever wondered how your computer knows a website is legitimate? Or how your email provider knows to automatically flag emails from specific senders as spam or otherwise malicious? DNS TXT records play a role in authentication, helping keep you and other internet users safe from attackers. 

DNS, or the Domain Name System, is how your computer can take a domain name like CBTNuggets.com and navigate to the server hosting the site. If your browser or operating system doesn’t know the IP address, your computer will ask the nearest available DNS server, which will either provide the answer or ask another DNS server up the chain. Think of it as you either know a person, or you know someone who knows the person, and they can help you contact whomever you’re trying to speak with. 

This article will discuss what DNS TXT records are, how they’re created and modified, and what information they contain. We’ll also discuss some best practices and troubleshooting tips. Throughout the article, we’ll highlight some additional resources so you can learn more about DNS and other networking concepts. 

Why are DNS TXT Records Important?

While most DNS records deal with helping your computer navigate to the intended server, DNS TXT records provide additional information about the server, and they can do so in plaintext. This additional information usually includes some form of authentication, whether confirming ownership or establishing other authentication methods. 

For example, a DNS TXT record on a mail server might be used to set up Sender Policy Framework (SPF) or authentication using DomainKeys Identified Mail (DKIM), both of which help protect against malicious activities like email spoofing. 

TXT Records In Action

Now, let’s look at finding, configuring, and modifying DNS TXT records. Since there are multiple ways to host your website (whether through a provider or managing your own web server), the exact instructions will differ depending on how you host your website. Our instructions here assume you host your site through a provider and not your own server.

Log in to your account, and then navigate to the domain's control panel for which you want to create a TXT record. You should see an option to create a new DNS record and be able to specify TXT record. When creating your TXT record, you will need to enter a name for the record, a value, and a TTL (time to live) for this new record. 

Modifying existing DNS TXT records will follow a similar process. The main difference is that you will want to use the “edit” button rather than the “add” or “create” button. Whether you’re modifying existing records or creating a new record, your changes will need to wait for the propagation period to take effect. This period may take anywhere between a few minutes and a few hours. 

Another important piece of information is that DNS TXT records usually have a character limit. Depending on your end goal, you can create additional TXT records. If multiple TXT records aren’t feasible, you may need to consider alternate methods. 

So, what exactly can you use DNS TXT records for? As we mentioned earlier, some of the most common uses of DNS TXT records are for authentication and safety protocols like SPF and DKIM. DNS TXT records can also be used to set up DMARC, or Domain-based Message Authentication, Reporting, and Conformance, which determines what to do with email messages that fail authentication methods.

SPF Records: A Deep Dive With TXT

We’ve mentioned SPF records in this article, but what are they? Sender Policy Framework records are used to state which mail servers are allowed to send messages on behalf of a domain.

For example, the SPF records for CBTNuggets.com will specify which mail server(s) can send emails to our subscribers, and our subscribers’ email service providers will verify that emails coming from CBTNuggets.com were sent from one of the listed mail servers. 

SPF records have to follow a specific format for servers to read them properly. That format is as follows:

<!--- v=spf1 ip4:10.0.0.0 ip4:10.1.1.1 include:test.email -all -->

Let’s break this down. First, we see v=spf1, which is how SPF records must begin to inform servers of the record type. Then we see two IP addresses. These IPs specify the mail servers emails can be sent through. The IP addresses will change to match those of the authorized mail servers, so there’s no need to focus on the IPs in this example. 

The string include:test.email is used to specify any authorized third-party domains that may be allowed to send email on behalf of the primary domain. Finally, the “-all” tag informs the server that any IPs or domains not listed are to be considered unauthorized.

DKIM Signatures: Enhancing Email Security in TXT Records

DKIM, or DomainKeys Identified Mail, is a digital signature used to authenticate an email sender’s identity. When you receive an email, your email provider validates the signature in the email header with that DKIM signature listed in the TXT records of the domain’s DNS server. DKIM records must contain the following information:

“v=” is used to specify the version of DKIM signature.

“a=” is used to specify the algorithm being used, which is usually rsa-sha256.

“d=” states the domain name associated with the signature.

“s=” states the selector the receiving server should use when verifying against the DNS record.

“h=” specifies the headers used to create the hash.

“bh=” is the hash of the email body. 

“b=” is the actual signature. This is a long string of seemingly random text. 

Beyond Email: Additional Uses of TXT Records

We briefly mentioned above that TXT records can also be used to set up DMARC, or Domain-based Message Authentication, Reporting, and Conformance. SPF and DKIM are used to verify email sender identity and email authenticity, but what should you do with messages that fail those authentication methods? DMARC records look similar to SPF and DKIM records, and specify things like where emails should be sent after failing authentication. 

What are Some Best Practices for TXT Record Management?

The key to effective use of TXT records is ensuring the use of proper syntax, formatting, and regular auditing. Configuring SPF, DKIM, and DMARC in your TXT records can be a great use of the TXT records, but the policies should be reviewed frequently enough to confirm the settings still match the needs of your website. 

It’s also important to ensure that your TXT records conform to the requirements of any third-party organizations that might be collaborating with your site. For example, if you’re authorizing a third-party organization to send email on your behalf, make sure you specify the correct domain in your SPF records. 

How to Troubleshoot TXT Record Issues

Configuring DNS TXT records is usually a well-documented process, and you should be able to find detailed information on your hosting provider’s website. However, if you are having trouble, there are several troubleshooting steps you can take.

First, verify your formatting is correct. Check for missing quotation marks or “=” equals signs. Also, check for any typos in any listed domains or IP addresses. Something else you should check is the DNS propagation period. If you are experiencing issues with recent changes, the changes may not have taken effect just yet. 

You can use some networking tools, like the “dig” command, to validate whether your changes have propagated. If you still have issues, contact your hosting provider for advanced troubleshooting assistance. 

Security Considerations for TXT Records

Implementing DNSSEC is a great way to safeguard your DNS TXT records. DNSSEC, or DNS Security Extensions, are additional authentication methods you can implement to allow users to further validate whether DNS records are truly coming from your server. 

Implementing DNSSEC is just one more digital signature used to verify your identity and certify that DNS records obtained by users originated from your DNS server. To learn how to implement DNSSEC, check your hosting provider’s site for instructions.

Conclusion

DNS TXT records are an additional form of DNS records. These records can be used to configure security features like DKIM, DMARC, and SPF, all of which can help certify email authentication. While configuring DNS TXT records may initially seem intimidating, your hosting provider likely provides detailed instructions. Troubleshooting DNS TXT record issues is also relatively straightforward and can be done with some assistance from your hosting provider. 

To learn more about DNS records and networking, check out CBT Nuggets network administrator certification training.