What is a TXT (Text) record used for in email? (SPF, DKIM, DMARC, BIMI)
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If you've ever stared at your DNS settings wondering why there are four different records all labeled "TXT", you're not alone. TXT records are a catch-all container in DNS. They can hold any text-based data, which makes them perfect for storing email authentication instructions that receiving mail servers need to look up.
Here's what each one does:
SPF (Sender Policy Framework) lives at your root domain (like yourdomain.com) and lists every IP address and mail server that's allowed to send email on your behalf. When an email arrives claiming to be from you, the receiving server checks your SPF record to see if that sending server is on the list.
DKIM (DomainKeys Identified Mail) lives at a selector address like selector._domainkey.yourdomain.com. It holds a public key that lets receiving servers verify a cryptographic signature attached to each outgoing email. If the signature checks out, the message hasn't been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance) lives at _dmarc.yourdomain.com. It tells receiving servers what to do when SPF or DKIM fail. Quarantine the message? Reject it outright? Do nothing yet? DMARC also tells mailbox providers where to send authentication reports so you can actually see what's happening.
BIMI (Brand Indicators for Message Identification) lives at default._bimi.yourdomain.com. It points to a verified logo file so your brand's logo shows up next to your emails in supported inboxes like Gmail and Yahoo Mail. BIMI requires a passing DMARC policy to work, which is why it's always the last step.
If you're setting these up for the first time, the order matters. Start with DKIM and SPF, then add DMARC in monitoring mode (policy set to none) so you can review reports before enforcing anything. Once you're confident everything's aligned, tighten DMARC to quarantine or reject. BIMI comes last, after DMARC is enforced.
All four use TXT records simply because TXT records are flexible and supported everywhere. DNS didn't need a new record type for each authentication standard. It just needed somewhere to store text. (Sometimes the boring answer is the right one.)
Want to check what's already published on your domain? Our free SPF checker and DKIM lookup take about 30 seconds each. If something looks off and you're not sure why, the SOS hotline is free.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.