Skip to main content
DNS

TXT Record Lookup

Free TXT record lookup tool. Verify SPF, DKIM, DMARC, domain ownership, and verification tokens in your browser via Cloudflare DoH. No signup.

Enter a domain above to query its DNS records.

What Is a TXT Record?

A TXT (Text) record is a DNS entry that stores arbitrary text strings attached to a domain name. Defined in RFC 1035 §3.3.14 and refined in RFC 1464, TXT records were originally meant for human-readable annotations, but in modern DNS they carry the entire email authentication stack — SPF, DKIM, DMARC, MTA-STS, BIMI — plus domain ownership tokens for hundreds of SaaS services.

This lookup queries TXT records directly via Cloudflare's DNS-over-HTTPS resolver and inspects each string for known patterns: SPF, DKIM, DMARC, MTA-STS, BIMI, and verification tokens are flagged inline so you can find what you're looking for without grep. No signup, no logs, results in under 100 ms.

TXT Records You'll See in the Wild

The vast majority of TXT records belong to one of these categories:

Prefix / patternWhat it isWhere to look
v=spf1Sender Policy Framework record (RFC 7208)Apex (e.g. example.com) — see SPF guide
v=DKIM1DKIM public key (RFC 6376)<selector>._domainkey.example.com — see DKIM guide
v=DMARC1DMARC policy (RFC 7489)_dmarc.example.com — see DMARC guide
v=STSv1MTA-STS DNS record (RFC 8461)_mta-sts.example.com — see MTA-STS guide
v=TLSRPTv1TLS Reporting policy (RFC 8460)_smtp._tls.example.com — see TLS-RPT guide
v=BIMI1Brand Indicators for Message Identificationdefault._bimi.example.com — see BIMI guide
Verification tokensGoogle, Microsoft, Atlassian, Stripe, ACME, etc.Apex or vendor-specified subdomain

How TXT Strings Are Encoded

DNS limits any single TXT string to 255 characters. Records longer than that — including most modern DKIM 2048-bit keys and long SPF records — are split across multiple strings inside a single TXT record. Per RFC 7208 §3.3 and RFC 6376 §3.6.2.1, receivers must concatenate the strings in order with no separator.

A correctly-published 400-character DKIM key looks like this in the zone file:

selector1._domainkey  IN  TXT  ( "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."
                                  "...QABwIDAQAB" )

The two quoted strings are concatenated by the receiver into one logical record. Some DNS providers force you to enter them as a single string and silently truncate at 255; others let you enter the full key and split it under the hood. Verify with this lookup — it shows the concatenated form so you can confirm the record is intact.

Common TXT Record Errors

  • Split-string corruption. The record looks fine in the DNS provider's UI but breaks because a 256-byte string was split at the wrong byte. Especially common for DKIM 2048-bit keys.
  • Multiple SPF records on the same name. RFC 7208 §3.2 allows only one. Receivers MUST treat the configuration as permerror. Use the SPF checker to verify.
  • SPF record on the wrong host. SPF lives at the sending domain (the MAIL FROM domain), not at every subdomain. Receivers query the apex unless the message was sent from a subdomain.
  • DMARC record at apex instead of _dmarc. DMARC lives at _dmarc.example.com, not example.com. The DMARC checker catches this.
  • Quote-escaping bugs. Some zone-file editors double-escape inner quotes, turning "v=DKIM1; k=rsa; p=..." into "\"v=DKIM1\"". The TXT becomes unparseable.
  • Stale verification tokens. Records like google-site-verification=... stick around years after the original need. Periodically prune them — they're harmless but clutter the record set.

Command-Line TXT Lookup

  • dig: dig TXT example.com +short
  • nslookup: nslookup -type=txt example.com
  • host: host -t txt example.com
  • PowerShell: Resolve-DnsName -Type TXT example.com

FAQ

How do I look up TXT records for a domain?

Enter the domain (or subdomain like _dmarc.example.com) in the field above and click "Lookup." This tool queries Cloudflare's DoH resolver and returns every TXT record at that name, with each string identified if it matches a known pattern (SPF, DMARC, DKIM, MTA-STS, BIMI, TLS-RPT, or a known verification token).

What does a TXT record contain?

Anything text-shaped, but in production almost always one of the email-authentication or domain-verification patterns listed above. Each TXT record at a name is a separate entry; resolvers return them all in one query.

How can I check TXT records from the command line?

Use dig TXT example.com +short on Linux or macOS, or nslookup -type=txt example.com on Windows. For DNSSEC-validated lookups via DoH: curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=example.com&type=TXT'.

Why is my TXT record split into multiple strings?

DNS limits any single string in a TXT record to 255 characters. Anything longer must be split into multiple strings within the same TXT record; receivers concatenate them. Modern 2048-bit DKIM keys typically require two strings. As long as the strings are within one TXT record (one set of parentheses in the zone file), the format is correct.

Can a domain have multiple TXT records?

Yes — at any given name. A domain typically has one SPF TXT, one DMARC TXT (at _dmarc), several DKIM TXTs (one per selector, under _domainkey), plus one or more verification tokens. Multiple SPF records at the same name, however, are forbidden by RFC 7208 §3.2.

Get the full picture with DMARCguard

Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.

Start Free