TXT Records: a beginner's guide
Get TXT records including verification entries
TXT records: the sticky-note section of DNS
A TXT record is the simplest possible DNS record type: it just holds an arbitrary string of text. There is no defined format, no required structure, and no specific purpose baked into the protocol. TXT records were originally added to DNS in the 1980s for human-readable annotations, like a sticky note attached to a domain. Almost immediately, the rest of the internet started using TXT records for everything except the original purpose. Today, TXT records are how dozens of unrelated systems prove ownership, publish policies, and exchange machine-readable instructions through DNS — including SPF, DKIM, DMARC, BIMI, MTA-STS, ACME challenges (used by Let's Encrypt), and the "prove you own this domain" verification step for every SaaS product on earth.
You should care because the TXT records on your domain accumulate quietly over time and tell a more interesting story than most people realize. Every time someone in your company signed up for a new SaaS tool that needed domain verification — Google Search Console, Atlassian, Zoom, Microsoft 365, Apple Business Manager, every new email service — a new TXT record was added. Many of those records are still there, even after the service was abandoned. Some of them are SPF records that have grown unmaintainable. Some are old, broken DMARC records pointing at email addresses that no longer exist. The TXT section of any production domain is an archaeological dig site of every decision the organization has ever made about email and verifications.
The five things every TXT record check looks at:
What records exist? A surprising fraction of organizations have no idea what is in their TXT records until they look.
Which records are SPF, DKIM, DMARC, BIMI, or MTA-STS? These are the high-stakes ones — the email-authentication rulebooks.
Which records are domain-verification handshakes? Things like `google-site-verification=...`, `MS=ms12345`, or `atlassian-domain-verification=...` are leftover from one-time setup steps and almost always still in production years later.
Are there any duplicate or conflicting records? Two SPF records is a permanent error. Two DMARC records is a permanent error. Stale duplicates are surprisingly common.
Is the total size reasonable? Each TXT record can be up to 255 characters per string and can have multiple strings, but DNS responses overall have practical size limits. Bloated TXT sections can cause subtle resolver issues.
Three questions a TXT record check answers:
What is actually in my domain's TXT records right now, including the records I've forgotten about?
Are there any duplicate or conflicting records that are silently breaking SPF or DMARC?
Which old verification records can I safely delete because the underlying service is long gone?
The cost of ignoring TXT records is the slow accumulation of cruft until the day a duplicate breaks SPF or DMARC and your email starts going to spam. The fix is an annual cleanup pass — dump the TXT records, identify each one, delete the orphans, and document what's left. It's the kind of DNS hygiene that pays compounding dividends in fewer mystery deliverability problems.
The TXT Records endpoint, in plain language
In one sentence: Get TXT records including verification entries
Retrieves all TXT records for a domain including SPF (Sender Policy Framework), domain verification tokens, and custom entries. Parses and categorizes records by purpose for easy analysis. Identifies verification tokens for 15+ services including Google, Microsoft, Facebook, Apple, Atlassian, DocuSign, and Stripe.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Queries all TXT records and categorizes them by type: SPF (Sender Policy Framework) records, DKIM (DomainKeys Identified Mail) selectors, domain verification tokens (Google, Facebook, Microsoft, Apple, Atlassian, DocuSign, Stripe, and more), DMARC (Domain-based Message Authentication, Reporting and Conformance) references, BIMI (Brand Indicators for Message Identification) records, MTA-STS (Mail Transfer Agent Strict Transport Security) transport security records, and custom application-specific entries. Returns raw values with parsed metadata.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the TXT Records tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
TXT records are the most overloaded DNS (Domain Name System) record type — a single domain may have 10+ TXT records for different purposes. EdgeDNS categorizes each record by purpose, saving hours of manual analysis. Critical for troubleshooting email authentication, discovering third-party integrations, and mapping the external attack surface.
Picture this in real life. Imagine an email administrator. Here's the situation they're walking into: Review all TXT records to ensure SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and other email security records are properly configured. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the TXT Records tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the TXT Records tool is built for you:
Is my domain pointing to the right place right now?
Did the DNS change I just made actually take effect everywhere in the world?
Is anything in my DNS misconfigured in a way that could break email or break the website?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Founders running their own infrastructure, marketers coordinating launches, IT admins inheriting domains from a former employee, and ops engineers troubleshooting live outages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you're flying blind on the one piece of config that decides whether your website and email work at all. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the free plan. The technical details: `GET /v1/dns/txt`.
When would I actually use this?
If you're still on the fence about whether the TXT Records tool belongs in your toolbox, this section is for you. Below you'll meet three real people — an email administrator, a security analyst, and an IT administrator — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Email Authentication Audit
Imagine you're an email administrator. Review all TXT records to ensure SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and other email security records are properly configured.
Why it matters: Identify missing or misconfigured email authentication records before they cause delivery issues.
Story 2: Third-Party Integration Discovery
Imagine you're a security analyst. Analyze domain verification TXT records to discover all third-party services with domain access — Google Workspace, Microsoft 365, Atlassian, DocuSign, Stripe, and more. Map the external attack surface.
Why it matters: Complete visibility into third-party service integrations without requiring internal documentation.
Story 3: DNS Cleanup
Imagine you're an IT administrator. Identify outdated verification records from discontinued services cluttering DNS (Domain Name System).
Why it matters: Reduce DNS (Domain Name System) complexity and eliminate verification records for discontinued services that could be exploited for subdomain takeover.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the TXT Records tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Right before launching a new website or migrating to a new host.
After making any DNS change, to confirm the new settings are live everywhere.
When customers report that your site or email "just stopped working" out of nowhere.
As a recurring monthly health check to catch silent misconfigurations early.
If you can see yourself in even one of those bullets, the TXT Records tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the TXT Records tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the TXT Records tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/dns/txt?domain=example.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to query TXT records for | example.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
records | array | All TXT records with value, category, TTL (time to live), and verification service |
has_spf | boolean | Whether domain has an SPF (Sender Policy Framework) record |
has_dmarc | boolean | Whether domain has a DMARC (Domain-based Message Authentication, Reporting and Conformance) record |
has_bimi | boolean | Whether domain has a BIMI (Brand Indicators for Message Identification) record |
has_mta_sts | boolean | Whether domain has MTA-STS (Mail Transfer Agent Strict Transport Security) configured |
spf_record | string | Raw SPF (Sender Policy Framework) record value if present |
dmarc_record | string | Raw DMARC (Domain-based Message Authentication, Reporting and Conformance) record value if present |
has_multiple_spf | boolean | Whether multiple SPF (Sender Policy Framework) records exist (the official internet standard violation causing permerror) |
verification_tokens | array | Detected domain verification tokens with service name |
record_count | number | Total number of TXT records found |
recommendations | array | Actionable recommendations (e.g., merge multiple SPF (Sender Policy Framework) records to avoid permerror) |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.
SPF (Sender Policy Framework) — A list, published in your DNS, of which servers are allowed to send email pretending to be you. Helps stop spammers from forging your address.
DKIM (DomainKeys Identified Mail) — A digital signature added to every email you send. The receiving mail server checks the signature to make sure the message really came from you and was not changed in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance) — An email rulebook you publish in your DNS. It tells receiving servers what to do with email that fails SPF or DKIM checks — ignore it, send it to spam, or block it entirely.
BIMI (Brand Indicators for Message Identification) — A standard that lets your company logo appear next to your emails in supported inboxes — but only after you've already set up DMARC properly.
MTA-STS (Mail Transfer Agent Strict Transport Security) — A way to tell other mail servers "always use encryption when sending email to me, and refuse to fall back to unencrypted delivery."
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.