TXT Records (Text)

TXT records store arbitrary text data in DNS. They’re commonly used for domain verification, email security (SPF, DKIM, DMARC), and other service configurations.

Creating a TXT Record

apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
  name: verification-txt
  namespace: dns-system
  labels:
    zone: example.com  # Used by DNSZone selector
spec:
  name: "@"
  text: "v=spf1 include:_spf.example.com ~all"
  ttl: 3600

How Records Are Associated with Zones

Records are discovered by DNSZones using label selectors. The DNSZone must have a recordsFrom selector that matches the record’s labels:

# DNSZone with selector
apiVersion: bindy.firestoned.io/v1beta1
kind: DNSZone
metadata:
  name: example-com
spec:
  zoneName: example.com
  clusterRef: production-dns
  recordsFrom:
    - selector:
        matchLabels:
          zone: example.com  # Selects all records with this label
  soaRecord:
    primaryNs: ns1.example.com.
    adminEmail: admin.example.com.
    serial: 2024010101
---
# Record that will be selected
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
  name: spf-record
  labels:
    zone: example.com  # ✅ Matches selector above
spec:
  name: "@"
  text: "v=spf1 include:_spf.example.com ~all"

See Label Selector Guide for advanced patterns.

Common Use Cases

SPF (Sender Policy Framework)

Authorize mail servers to send email on behalf of your domain:

apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
  name: spf-record
  namespace: dns-system
  labels:
    zone: example.com
spec:
  name: "@"
  text: "v=spf1 mx include:_spf.google.com ~all"
  ttl: 3600

Common SPF mechanisms:

• mx - Allow servers in MX records
• a - Allow A/AAAA records of domain
• ip4:192.0.2.0/24 - Allow specific IPv4 range
• include:domain.com - Include another domain’s SPF policy
• ~all - Soft fail (recommended)
• -all - Hard fail (strict)

DKIM (Domain Keys Identified Mail)

Publish DKIM public keys:

apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
  name: dkim-selector
  namespace: dns-system
  labels:
    zone: example.com
spec:
  name: default._domainkey  # selector._domainkey format
  text: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."
  ttl: 3600

DMARC (Domain-based Message Authentication)

Set email authentication policy:

apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
  name: dmarc-policy
  namespace: dns-system
  labels:
    zone: example.com
spec:
  name: _dmarc
  text: "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
  ttl: 3600

DMARC policies:

• p=none - Monitor only (recommended for testing)
• p=quarantine - Treat failures as spam
• p=reject - Reject failures outright

Domain Verification

Verify domain ownership for services:

# Google verification
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
  name: google-verification
  namespace: dns-system
  labels:
    zone: example.com
spec:
  name: "@"
  text: "google-site-verification=1234567890abcdef"
---
# Microsoft verification
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
  name: ms-verification
  namespace: dns-system
  labels:
    zone: example.com
spec:
  name: "@"
  text: "MS=ms12345678"

Service-Specific Records

Atlassian Domain Verification

apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
  name: atlassian-verify
  namespace: dns-system
  labels:
    zone: example.com
spec:
  name: "@"
  text: "atlassian-domain-verification=abc123"

Stripe Domain Verification

apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
  name: stripe-verify
  namespace: dns-system
  labels:
    zone: example.com
spec:
  name: "_stripe-verification"
  text: "stripe-verification=xyz789"

Multiple TXT Values

Some records require multiple TXT strings. Create separate records:

# SPF record
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
  name: txt-spf
  namespace: dns-system
  labels:
    zone: example.com
spec:
  name: "@"
  text: "v=spf1 include:_spf.google.com ~all"
---
# Domain verification (same name, different value)
apiVersion: bindy.firestoned.io/v1beta1
kind: TXTRecord
metadata:
  name: txt-verify
  namespace: dns-system
  labels:
    zone: example.com
spec:
  name: "@"
  text: "google-site-verification=abc123"

Both records will exist under the same DNS name.

String Formatting

Long Strings

DNS TXT records have a 255-character limit per string. For longer values, the DNS server automatically splits them:

spec:
  text: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."  # Can be long

Special Characters

Quote strings containing spaces or special characters:

spec:
  text: "This string contains spaces"
  text: "key=value; another-key=another value"

Best Practices

1. Keep TTLs moderate - 3600 (1 hour) is typical for TXT records
2. Test before deploying - Verify SPF/DKIM/DMARC records with online tools
3. Monitor DMARC reports - Set up rua and ruf addresses to receive reports
4. Start with soft policies - Use ~all for SPF and p=none for DMARC initially
5. Document record purposes - Use clear resource names

Status Monitoring

kubectl get txtrecord spf-record -o yaml

status:
  conditions:
    - type: Ready
      status: "True"
      reason: ReconcileSucceeded
      message: "Record configured on 3 endpoint(s)"
  observedGeneration: 1

Troubleshooting

Test TXT record

# Query TXT records
dig TXT example.com

# Test SPF
dig TXT example.com | grep spf

# Test DKIM
dig TXT default._domainkey.example.com

# Test DMARC
dig TXT _dmarc.example.com

Online Validation Tools

• SPF: mxtoolbox.com/spf.aspx
• DKIM: mxtoolbox.com/dkim.aspx
• DMARC: mxtoolbox.com/dmarc.aspx

Common Issues

• SPF too long - Limit DNS lookups to 10 (use include wisely)
• DKIM not found - Verify selector name matches mail server configuration
• DMARC syntax error - Validate with online tools before deploying

Next Steps

• MX Records - Configure mail servers
• DNS Records Overview - Complete guide to all record types
• Monitoring DNS - Monitor your DNS infrastructure