TXT Records
free/v1/dns/txtRetrieves all TXT records for a domain including SPF, domain verification tokens, and custom entries. Parses and categorizes records by purpose for easy analysis. Identifies verification tokens for 15+ services including Google, Microsoft, Facebook, Apple, Atlassian, DocuSign, and Stripe.
What It Does
Queries all TXT records at the apex and categorizes them: SPF, DKIM, domain verification tokens (Google, Facebook, Microsoft, Apple, Atlassian, DocuSign, Stripe, and 25+ more), DMARC at `_dmarc`, BIMI at `default._bimi`, MTA-STS at `_mta-sts`, and custom entries. Probes ~30 common DKIM selectors in parallel (`google._domainkey`, `selector1._domainkey`, `s1._domainkey`, `k1._domainkey`, `pm._domainkey`, etc.) and surfaces every selector that returns a `v=DKIM1` record (RFC 6376) — the only reliable way to answer "is DKIM configured?" without prior knowledge of the selector name. Detects stale `_acme-challenge` TXT tokens left over from prior ACME (RFC 8555) issuance — a hygiene smell that contributes to zone-hygiene scoring.
Why It's Useful
TXT records are the most overloaded DNS record type — a single domain may have 10+ records for different purposes. Categorization saves manual analysis. The DKIM selector probe is the most-requested email-deliverability feature gap in DNS tooling: the selector name is sender-specific and unknown without context, so DKIM is invisible to plain `dig`. Stale-ACME detection catches a real hygiene smell that often goes unnoticed. The result is a single call that answers "is this domain's email-auth and zone hygiene in good shape?"
Use Cases
Email Authentication Audit
Review all TXT records to ensure SPF, DKIM, and other email security records are properly configured.
Identify missing or misconfigured email authentication records before they cause delivery issues.
Third-Party Integration Discovery
Analyze domain verification TXT records to discover all third-party services with domain access — Google Workspace, Microsoft 365, Atlassian, DocuSign, Stripe, and more. Map the external attack surface.
Complete visibility into third-party service integrations without requiring internal documentation.
DNS Cleanup
Identify outdated verification records from discontinued services cluttering DNS.
Reduce DNS complexity and eliminate verification records for discontinued services that could be exploited for subdomain takeover.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to query TXT records forExample: example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
records | array | All TXT records with value, category, TTL, and verification service |
has_spf | boolean | Whether domain has an SPF record |
has_dmarc | boolean | Whether domain has a DMARC record |
has_bimi | boolean | Whether domain has a BIMI record |
has_mta_sts | boolean | Whether domain has MTA-STS configured |
has_dkim | boolean | True if the common-selector probe found at least one DKIM record (RFC 6376) |
dkim_selectors_found | array | Each detected selector with `selector` (e.g., "google", "selector1"), `sender` (likely originating service, e.g., "Google Workspace", "Microsoft 365"), and `record` (the v=DKIM1 record) |
has_stale_acme_challenge | boolean | True if a `_acme-challenge.<domain>` TXT record exists at the apex — usually leftover from past ACME (RFC 8555) issuance and should be removed |
acme_challenge_records | array | Raw values of any stale `_acme-challenge` TXT records |
spf_record | string | Raw SPF record value if present |
dmarc_record | string | Raw DMARC record value if present |
has_multiple_spf | boolean | Whether multiple SPF records exist (RFC 7208 violation causing permerror) |
verification_tokens | array | Detected domain verification tokens with service name |
record_count | number | Total number of TXT records found |
recommendations | array | Actionable recommendations (multi-SPF merge, +all hardening, missing DMARC, missing DKIM, stale ACME tokens) |
linked_endpoints | array | Suggested follow-up endpoints (/v1/security/spf, /v1/security/dmarc, /v1/security/dkim) for full email-stack analysis |
Code Examples
curl "https://api.edgedns.dev/v1/dns/txt" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/dns/txt?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/dns/txt',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full TXT Records guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.