Where do I find my SPF record?

The SPF record is a TXT at the domain root (@). It starts with v=spf1 and lists servers authorized to send emails for your domain.

How do I check a DKIM record?

The DKIM record is a TXT at selector._domainkey.yourdomain.com. The selector depends on your email provider. Look for v=DKIM1 in the value.

Where is my DMARC record?

The DMARC record is a TXT at _dmarc.yourdomain.com. It starts with v=DMARC1 and defines the policy for emails failing SPF or DKIM.

Can I have multiple TXT records?

Yes, you can have multiple TXT records on the same name. However, for SPF, you must have only ONE record starting with v=spf1. Multiple SPF records cause failures.

My TXT is truncated, why?

TXT records longer than 255 characters are split into multiple strings. This is normal. The resolver automatically recombines them.

How do I remove an old verification token?

Once verification is complete, you can delete the temporary TXT from your DNS interface. Always keep your SPF, DKIM, and DMARC records.

TXT Record Lookup

Check SPF, DKIM, DMARC and your text configurations

Email authentication issues? Verify that your TXT records for SPF, DKIM, and DMARC are correctly published and propagated.

Host

Type

Resolver

Iterative trace

In iterative trace mode, the resolver is ignored.

Propagation test

Query multiple public resolvers to compare answers.

SPF, DKIM, DMARC

Display email authentication records. Quickly identify syntax errors or missing records.

Domain verifications

View verification tokens (Google, Microsoft, etc.) published in your DNS zone.

Full syntax

View the complete value of each TXT, even long records with concatenation.

Multi-resolver

Compare responses from Google, Cloudflare, Quad9 to detect propagation issues.

Free and unlimited

Test as many domains as needed. No signup required.

How to use the DNS lookup engine options effectively

What is the iterative trace?

The trace performs resolution step by step. The resolver first queries the root servers, then the TLD (.com, .fr, .eu), and then the authoritative servers of the target zone. At each step, the page shows the queried server, the answer, the RCODE, and the latency.

1. Root
Discovery of the TLD servers for the requested name.
2. TLD
Reference to the zone's NS (delegation).
3. Authoritative
Final answer (or error) with TTL and latency.

What is it for?

Compare answers across resolvers and regions
Detect a hot cache, an overly long TTL, or an incomplete delegation
Explain a latency difference or an unexpected RCODE

Tip: keep the trace disabled for quick checks; enable it when investigating or preparing a ticket/post‑mortem.

What is the classic trace?

The classic trace queries only the selected resolver (UDP or DoH) and displays the answer as it is perceived from that network vantage point. You get the RCODE, the response sections, and the latency for the client → resolver leg.

1. Chosen resolver
Uses the preset or custom configuration to run the query exactly like your service would.
2. Protocol preserved
Respects the selected transport (UDP, TCP, or DoH) so you reproduce the real behaviour.
3. Detailed answer
Shows the question, answer, and authority/additional sections when present, together with TTL and useful metadata.

Why use it?

Check the view of a specific resolver before suspecting delegation issues
Confirm cached values and the impact of a TTL or a flush
Document a resolution exactly as a client or microservice sees it

Tip: keep the iterative trace option turned off when auditing a given resolver; enable it afterwards to compare with the root → TLD → authoritative path.

How does the propagation test work?

The test queries a set of public resolvers (Google, Cloudflare, Quad9, OpenDNS, ISPs…) in parallel and groups the answers by content and RCODE. You instantly see who already picked up the update.

1. Multi-point resolvers
Enables the propagation presets to question several actors spread around the world.
2. Automatic comparison
Groups identical answers and highlights divergences or resolver-specific errors.
3. Actionable summary
Provides a clear recap, the resolver list, their latencies, and each group's status.

When to use it?

Track how a DNS change propagates worldwide
Spot stale caches and decide on a targeted flush
Share a propagation snapshot in a ticket or post-mortem

Tip: while the propagation test is active, the resolver selector is frozen. Disable the mode to return to single-resolver diagnostics.

What is a TXT record?

A TXT (Text) record publishes arbitrary text associated with a domain name. It's a versatile format used for many applications, including email authentication and ownership verification.

TXT record structure:

Field	Description	Example
Name	The domain or subdomain	`@` or `_dmarc`
Type	Always `TXT`	`TXT`
Value	Free-form text	`"v=spf1 include:_spf.google.com -all"`
TTL	Cache duration in seconds	`3600`

Common TXT records

SPF (Sender Policy Framework)

Published at the domain root. Defines servers authorized to send emails.

captaindns.com.  3600  IN  TXT  "v=spf1 include:_spf.google.com -all"

Key elements:

v=spf1: SPF version (required)
include:: Authorized domains
ip4: / ip6:: Authorized IP addresses
-all: Reject others (strict) / ~all: Soft fail

DKIM (DomainKeys Identified Mail)

Published at selector._domainkey.domain.com. Contains the public key for verifying signatures.

selector._domainkey.captaindns.com.  3600  IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBg..."

Key elements:

v=DKIM1: DKIM version
k=rsa: Key algorithm
p=: Public key (base64)

DMARC (Domain-based Message Authentication)

Published at _dmarc.domain.com. Defines the policy when SPF/DKIM fail.

_dmarc.captaindns.com.  3600  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@captaindns.com"

Key elements:

v=DMARC1: DMARC version
p=none|quarantine|reject: Policy
rua=: Address for aggregate reports

Domain verification

Temporary token provided by a service (Google, Microsoft, etc.).

captaindns.com.  300  IN  TXT  "google-site-verification=abc123..."

Best practices

SPF

Rule	Explanation
One SPF record only	Multiple v=spf1 cause failures
Maximum 10 DNS lookups	Count include, a, mx (not ip4/ip6)
End with -all or ~all	Defines default behavior
Include all senders	Don't forget third-party services (newsletters, CRM)

DKIM

Rule	Explanation
Minimum 2048-bit key	RSA 1024 bits is deprecated
One selector per service	Makes rotation and revocation easier
Don't modify manually	Copy-paste exactly from provider

DMARC

Rule	Explanation
Start with p=none	Observe without blocking during setup
Configure rua	Receive reports for diagnostics
Progress to p=quarantine, p=reject	Once SPF/DKIM are validated

Troubleshooting common issues

SPF fails (PermError)

Verify there's only ONE SPF record
Count DNS lookups (max 10)
Check syntax (no extra spaces, correct quotes)

DKIM not found

Verify exact selector (case-sensitive)
Format is selector._domainkey.domain.com
Key must be in one string (or correctly concatenated)

DMARC not detected

Verify record is at _dmarc.domain.com
Value must start with v=DMARC1
Syntax: semicolon between tags, not comma

Command line verification

SPF

dig TXT captaindns.com

DKIM

dig TXT selector._domainkey.captaindns.com

DMARC

dig TXT _dmarc.captaindns.com

Tool	Purpose
SPF Inspector	Detailed SPF analysis and validation
DKIM Inspector	DKIM key and signature verification
DMARC Inspector	DMARC policy analysis
Email Tester	Complete SPF/DKIM/DMARC test from your server
DMARC Generator	Create a valid DMARC record

Useful resources

RFC 7208 - SPF (SPF specification)
RFC 6376 - DKIM (DKIM specification)
RFC 7489 - DMARC (DMARC specification)
Google - Configure SPF (official guide)