Some online services will ask you to verify ownership of a domain before it can interact with your domain. One of the simplest and quickest methods is often offered as updating your domain’s DNS records with a TXT record, and it’s the option I usually choose for site verification with new sites or new tools.
Messing with DNS can be daunting. But verifying with a TXT record is simple, quick, and safe. Here’s how to do it if you’re using Cloudflare.
What are DNS TXT Records & What are They Used For?
A DNS TXT record is often used as a way to verify that you own and have access to the DNS records associated with a domain name. Without that access, there’s no way to create the txt record, so it’s a reliable method to prove ownership.
So the TXT record is basically like a one-off secret password. The service or site that’s requesting the authentication wants to be able to go directly to your domain name–without you in the middle–and be able to prove that the DNS record knows that secret password. And there’s only one way that the DNS record can possibly know that password–if you have full access to the DNS account and are therefore able to update the account with the password.
Some common places you might run into this are:
- It’s one of the verification methods offered by Google Analytics and Search Console.
- SEO services that need to verify your ownership of a domain, such as AHREFs or SEMRush.
- Cloud storage and CDN providers when mapping to your domain.
- Website hosts who need verification that you own the domain.
I’m focusing here on Cloudflare, but the way to do this is broadly similar across DNS registrars.
What You Need
Before you begin, you’ll need:
- Access to the Cloudflare account that your domain is under.
- The content for the TXT record. This will be provided by the service requesting authentication.
How to Create the TXT Record in Cloudflare
Log into your Cloudflare account.
Choose the domain you want to verify.
Click on the DNS menu item at the left side of the screen.
You might already have several DNS entries for that domain. It might be just a couple of records that simply point the domain to your website’s host server (A records). There might also be some CNAMEs and perhaps even some mail server (MX) records. But whatever is already there, you can ignore it. Even if you already have TXT records there. Because the aim here isn’t to replace an existing record but to create a new one–you can have as many TXT records as you like–they work independently.
Click the blue
Add record button.
You’ll get a pop-down panel with various fields. It looks like this:
The Type field is a drop-down menu. Change that to
In the Name field, the service should have provided the information to enter. In many cases, you’ll likely want to put the
@ symbol. This stands for your root domain. But sometimes you might need to enter something else, depending on what the TXT record is being used for. In any case, whatever service is asking you to verify the domain should tell you what to use there.1
The service or site that’s requesting you perform the verification will have provided the text to use in the Content field. It’s usually a long string of letters and numbers. Something like this:
This is a unique and single-use code–that’s the whole point. It’s case-sensitive. It’s safer to copy and paste it than retype it.
For the TTL field, in most cases, Auto is a good choice (Auto, in this case, means 5 minutes). The TXT record isn’t something that updates often, so you don’t want it to be pinging every minute. On the other hand, you don’t want to be waiting days before the verification can be completed. I find that Cloudflare’s Auto setting is a good balance. In some cases, the service requesting authentication might specify a TTL setting. If so, set the TTL field to match.2
Once you’ve entered that, hit the
The new TXT record will now show up as a new link in your domain’s DNS records.
You can now go back to the service or site that’s requesting authentication to report that the TXT record has been added. That service or site will then ping your domain directly to verify that the information is there. It might not be picked up instantly, in which case, give it a few minutes–with a TTL set to Auto or similar, the information should be updated pretty quickly.
Things Worth Knowing
The service or site requesting authentication will provide the content for the Content field of the TXT record. It’s important that text is copied exactly and cleanly. You might also be provided with the information to enter into the Name and TTL fields.
In some cases, the TTL might also be specified. If so, it’s usually expressed in seconds. For example, a TTL of 300 is five minutes. A TTL of 3600 is an hour. And so on.
If it’s still not authenticating, here are some things to check:
- You updated the correct domain. Yes, it might sound obvious, but if you have a bunch of domains in Cloudflare, especially if some are similar, it’s easy to select the wrong one.
- The Type field is set to TXT (not A or CNAME, etc).
- The text in the Context field was cleanly copied and pasted. Check for any rogue spaces at the end, for example. If you need to edit TXT record, use the
Editlink to the right of the TXT record.
- TTL is set to Auto or not longer than 10 minutes (600) or so. If it’s set longer, it means that you’ll need to wait longer for updates to be registered.
Many of the sites or services requesting domain authentication only need to perform this check once, and you can delete the TXT record if you wish. Some services might continue checking periodically, though, in which case you’ll need to go through the process again if you’ve deleted the TXT record.
In Cloudflare, a TXT record will also be grey clouded, with no way to orange cloud it. Or, more technically, the proxy status can only be DNS Only–it can’t be proxied and cached.
- You can find the Name entries used for TXT records for Google services here. ↩
- Some DNS records in Cloudflare can be proxied (aka orange cloud). That includes A and CNAME records. With proxied records, Cloudflare doesn’t let you modify the TTL (at least, not with free and Pro accounts–maybe it’s possible with Business and Enterprise accounts). For proxied records, it’s forced to Auto, which is 5 minutes. If you disable the proxy and change the TTL, it will revert to Auto once you re-enable the proxy (orange cloud).
But TXT records can’t be proxied–they’re permanently gray-clouded. So you can specify a TTL from 1 minute up to 1 day. ↩