TXT Records (Text)¶
TXT records store arbitrary text data in DNS. They're commonly used for domain verification, email security (SPF, DKIM, DMARC), and other service configurations.
Creating a TXT Record¶
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
name: verification-txt
namespace: dns-system
labels:
zone: example.com # Used by DNSZone selector
spec:
name: "@"
text: "v=spf1 include:_spf.example.com ~all"
ttl: 3600
How Records Are Associated with Zones¶
Records are discovered by DNSZones using label selectors. The DNSZone must have a recordsFrom selector that matches the record's labels:
# DNSZone with selector
apiVersion: bindy.firestoned.io/v1beta1
kind: DNSZone
metadata:
name: example-com
spec:
zoneName: example.com
clusterRef: production-dns
recordsFrom:
- selector:
matchLabels:
zone: example.com # Selects all records with this label
soaRecord:
primaryNs: ns1.example.com.
adminEmail: admin.example.com.
serial: 2024010101
---
# Record that will be selected
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
name: spf-record
labels:
zone: example.com # ✅ Matches selector above
spec:
name: "@"
text: "v=spf1 include:_spf.example.com ~all"
See Label Selector Guide for advanced patterns.
Common Use Cases¶
SPF (Sender Policy Framework)¶
Authorize mail servers to send email on behalf of your domain:
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
name: spf-record
namespace: dns-system
labels:
zone: example.com
spec:
name: "@"
text: "v=spf1 mx include:_spf.google.com ~all"
ttl: 3600
Common SPF mechanisms:
- mx - Allow servers in MX records
- a - Allow A/AAAA records of domain
- ip4:192.0.2.0/24 - Allow specific IPv4 range
- include:domain.com - Include another domain's SPF policy
- ~all - Soft fail (recommended)
- -all - Hard fail (strict)
DKIM (Domain Keys Identified Mail)¶
Publish DKIM public keys:
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
name: dkim-selector
namespace: dns-system
labels:
zone: example.com
spec:
name: default._domainkey # selector._domainkey format
text: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."
ttl: 3600
DMARC (Domain-based Message Authentication)¶
Set email authentication policy:
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
name: dmarc-policy
namespace: dns-system
labels:
zone: example.com
spec:
name: _dmarc
text: "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
ttl: 3600
DMARC policies:
- p=none - Monitor only (recommended for testing)
- p=quarantine - Treat failures as spam
- p=reject - Reject failures outright
Domain Verification¶
Verify domain ownership for services:
# Google verification
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
name: google-verification
namespace: dns-system
labels:
zone: example.com
spec:
name: "@"
text: "google-site-verification=1234567890abcdef"
---
# Microsoft verification
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
name: ms-verification
namespace: dns-system
labels:
zone: example.com
spec:
name: "@"
text: "MS=ms12345678"
Service-Specific Records¶
Atlassian Domain Verification¶
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
name: atlassian-verify
namespace: dns-system
labels:
zone: example.com
spec:
name: "@"
text: "atlassian-domain-verification=abc123"
Stripe Domain Verification¶
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
name: stripe-verify
namespace: dns-system
labels:
zone: example.com
spec:
name: "_stripe-verification"
text: "stripe-verification=xyz789"
Multiple TXT Values¶
Some records require multiple TXT strings. Create separate records:
# SPF record
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
name: txt-spf
namespace: dns-system
labels:
zone: example.com
spec:
name: "@"
text: "v=spf1 include:_spf.google.com ~all"
---
# Domain verification (same name, different value)
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
name: txt-verify
namespace: dns-system
labels:
zone: example.com
spec:
name: "@"
text: "google-site-verification=abc123"
Both records will exist under the same DNS name.
String Formatting¶
Long Strings¶
DNS TXT records have a 255-character limit per string. For longer values, the DNS server automatically splits them:
Special Characters¶
Quote strings containing spaces or special characters:
Best Practices¶
- Keep TTLs moderate - 3600 (1 hour) is typical for TXT records
- Test before deploying - Verify SPF/DKIM/DMARC records with online tools
- Monitor DMARC reports - Set up
ruaandrufaddresses to receive reports - Start with soft policies - Use
~allfor SPF andp=nonefor DMARC initially - Document record purposes - Use clear resource names
Status Monitoring¶
status:
conditions:
- type: Ready
status: "True"
reason: ReconcileSucceeded
message: "Record configured on 3 endpoint(s)"
observedGeneration: 1
Troubleshooting¶
Test TXT record¶
# Query TXT records
dig TXT example.com
# Test SPF
dig TXT example.com | grep spf
# Test DKIM
dig TXT default._domainkey.example.com
# Test DMARC
dig TXT _dmarc.example.com
Online Validation Tools¶
- SPF: mxtoolbox.com/spf.aspx
- DKIM: mxtoolbox.com/dkim.aspx
- DMARC: mxtoolbox.com/dmarc.aspx
Common Issues¶
- SPF too long - Limit DNS lookups to 10 (use
includewisely) - DKIM not found - Verify selector name matches mail server configuration
- DMARC syntax error - Validate with online tools before deploying
Next Steps¶
- MX Records - Configure mail servers
- DNS Records Overview - Complete guide to all record types
- Monitoring DNS - Monitor your DNS infrastructure