This is the fifth installment In the of a ten-part series outlining the ten most common Domain Name System (DNS) Records. In this article I will examine TXT Records, or Text Records. Find links below to the previous articles:
- In the fourth article I examined MX Records
- In the third article I examined CNAME Records
- In the second article I discussed the AAAA Records
- In the first article I discussed the A Records
TXT Records are a DNS Record which contains text that is used for external verification. These records can be used for various purposes, like verifying domain ownership. For example, as a domain investor, when I list my domain names for sale on an auction website, I often have to add a text record to a domain; this text record is a unique identifier linked to my username on the auction site. Auction site administrators can then query the DNS and verify that text record is present, thereby confirming domain ownership because I have control over the domain’s DNS.
For domains that have hosted email routed through them, TXT Records can be used to boost Email Security for that domain.
Four Types of TXT Records that Boost Domain Email Security
Sender Policy Framework (SPF) records
SPF Records protect your domain from being used to send spam. Spammers can send “spoofing emails”, these are emails that appear to be sent by a sender (perhaps one you know), by forging the
from field. For example, the email address in the
from field may say the sender is Bob Johnson (or firstname.lastname@example.org); but if you hover over (or right click, depending on the mail client) the
from sender, it will reveal the actual
from email address. Here’s an actual spam message I received which has been cleaned up by my mail client – the orginal
from sender said Gregory LaVicka, just like the email signature.
By adding a Sender Policy Framework (SPF) record to your domain host, it tells the receiving mail server that the email comes from your domain, and is not spam. SPF Records work hand-in-hand with DKIM.
Below is an example character string from a TXT record used for SPF:
"v=spf1 ip5:220.127.116.11/24 ip4:18.104.22.168 a -all"
Domain Keys Identified Mail (DKIM)
DKIM TXT Record adds encryption in the header of all outgoing emails on your domain. Email servers that get signed messages use DKIM to decrypt the message header. It also verifies the message was not changed after it was sent. You can read more about DKIM header detail in this article by Return Path.
Below is an example character string from a TXT record used for DKIM:
"v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSma0axspqYK5iAj+54lsAg4qRRCnpKK68hawSd8zpsDz77ntGCR0X2mHVvkf0WEOIqaspaG/A5IGxieiWer+wBX8lW2tE4NHTE0PLhHqL0uD2sif2pKoPR3Wr6n/rbiihGYCIzvuY4/U5GigNUGls/QUbCPRyzho30wIDAQAB"
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
A domain’s email reputation can be negatively impacted if users who receive email from that domain name mark the message as “spam”. DMARC authentication gives the domain name owner control over SPF and DKIM policies. Spammers may forge the
from address on email messages to make messages appear to come from your domain. If users who get the forged emails mark them spam, mail rules that examine incoming mail will start marking messages coming from your domain as spam.
Below is an example character string from a TXT record used for DMARC:
SMTP Mail Transfer Agent Strict Transport Security (MTA-STS)
Simple Mail Transfer Protocol (SMTP) is susceptible to man-in-the-middle attacks. A man-in-the-middle attack is where communication between two servers is intercepted and possibly changed. MTA-STS increases security for SMTP connections by requiring authentication checks and encryption for email sent to your domain. This works only when both sending and receiving servers use this standard. For additional reading, MTS-STS is governed by RFC 8461.
Below is an example character string from a TXT record used for MTA-STS
_mta-sts.mydomain.com IN TXT v=STSv1; id=20160831085700Z
Adding a TXT record
To add a TXT record to your domain name, go to your DNS provider’s website and select edit your domain’s DNS Records. You will have four fields to populate.
- Type – this is the type of DNS Record you want to add. Select TXT.
- Host – this is typically your domain. Many providers allow or require you to type in
@to refer to “yourdomain.com
- TXT Value – any printable ASCII characters is permitted for the attribute name. Maximum value is 255 characters.
- TTL – this is how long this record would live on the server (with current settings) should you ever update it or change it. I wrote extensively on TTL in this article.
For further reading, RFC 1464 governs TXT Records.
Next in the DNS Records Series I will discuss the SRV Record. If you’ve enjoyed this article, please like and follow us on Facebook, Twitter, and LinkedIn.