Google's popular Cloud DNS service is mostly excellent, but the interface is rather confusing when it comes to adding
TXT type resource records.
If you are not careful, Google will effectively strip all whitespace from your input. Also, when trying to enter a long text, such as a DKIM public key, you might encounter an undescriptive invalid record data error.
In this article we'll dive into the background on why this error occurs and how you can solve it.
TL;DR: You'll need to split long values into parts of 255 characters and wrap your input in double quotes. You can use our DNS record splitter to do that.
Both these issues are filed in the Google Issue Tracker, see here and here.
TXTresource records work
As defined in RFC1035, a DNS
TXT resource record contains one or more
<character-string> is a structure that is used extensively in DNS to transfer text strings.
It consists of a length byte, followed by that number of text characters.
Because the length indicator is only 1 byte in size, the maximum length of a
<character-string> is 255 characters (bytes).
This is also the reason why domain names have a maximum length of 255 characters.
Sometimes more than 255 characters of length is needed, so a
TXT resource record can contain multiple
A DNS client must combine all the parts into one single value to reconstruct the original text. No whitespace is to be added in between the parts.
When using Google Cloud DNS, the first thing you might notice is that Google wants you to wrap a
TXT value with double quotes if it contains spaces.
If you don't add quotes, every word in the value will be stored (and thus served) as a separate
So if you enter value
this is a TXT record without quotes as
TXT data on Google Cloud DNS, Google will actually serve 5
<character-string> structures in the
TXT resource record.
These parts will be combined by a DNS client without whitespace.
dig, we see the result:
mailhardener.com. 300 IN TXT "thisisaTXTrecord"
Note that the quotes in the result are added by
dig for readability, they were not in the response from the DNS server.
Almost all other DNS service providers assume that you want to include the whitespace characters, so they will not require you to add quotes.
One of the most common mistakes with SPF configuration is double quoting, which comes as no surprise given the ambiguity of quote requirements by DNS service providers.
For DKIM, DMARC, MTA-STS and SMTP TLS reporting DNS records, you don't actually need spaces and so you don't really need quotes either.
Take for example this DMARC record:
v=DMARC1; p=reject; rua=mailto:email@example.com
The key/value pairs are separated by a semicolon, any whitespace is ignored.
So you could also write it as:
Both configurations do exactly the same, although the latter is less readable.
So, for most email security related records you can actually ignore the warning and enter your
TXT data value without quotes into Google Cloud DNS.
The only exception here is SPF, because SPF actually uses whitespace as the separator for the matching rules. When working with SPF you must use quotes. Again, note that this requirement is pretty specific to Google Cloud DNS, other DNS service providers might not require these quotes and setting them will cause double quoting. Always double-check your changes with
When inserting a long string into the Google Cloud DNS interface, you might encounter an undescriptive invalid record data error.
The invalid record data error is returned by Google when TXT data input is longer than 255 characters. This usually happens with DKIM records, as those tend to be quite long.
To fix this, you'll need to split your string into 255 character parts.
That's right, the biggest automation company on the planet wants you to manually break your record in 255 byte parts. They won't do it for you.
Just about every other DNS service provider will automatically split your input into multiple
<character-string> structures, but not Google.
You can use our DNS record splitter to split and quote a DKIM record in a format suitable for Google Cloud DNS.
DKIM will work without whitespace, but if you want to maintain whitespace for readability you should also quote the parts individually.
The Google Cloud DNS web interface is rather confusing when working with
TXT type resource records.
When working with
TXT resource records in Google Cloud DNS, follow these rules:
In almost all cases you would want to retain whitespace if you add it, so we believe the quote requirement is a bad UI decision from Google. Similarly, we believe Google shouldn't bother its users with manually working around the length limitations of DNS.
There is a support ticket about long text input support in the Google issue tracker, and we have opened a feature request about removing the quote requirement.