Skip to main content
DNSnexus
Free Developer Tools
DNS
Email
Network
Webmaster
Security
IP
Guides
Live Tools
60+
Categories
6
Result URLs
Shareable
Availability
24/7
DNSnexus
Free Developer Tools
Free DNS, email, network, and security diagnostics with crawlable tool pages and shareable result URLs.
Run DNS CheckBrowse All Tools
Popular Tools
DNS Propagation CheckerDNS LookupWHOIS LookupSPF Record CheckerDMARC CheckerSSL Certificate CheckerPort Scanner
Quick Path
Fix Email Deliverability
Quick Path
Troubleshoot DNS Changes
Quick Path
Validate SSL & Open Ports
DNS Tools
A Record LookupAAAA Record LookupCERT LookupCNAME LookupDNS CheckDNS LookupDNS Propagation CheckerDNSKEY LookupDS LookupIPSECKEY LookupLOC LookupNS LookupNSEC LookupNSEC3PARAM LookupReverse DNS LookupRRSIG LookupSOA LookupSRV LookupTXT LookupWHOIS Lookup
Email Tools
BIMI LookupBlacklist CheckDKIM CheckerDMARC CheckerDMARC Report AnalyzerEmail Deliverability ReportEmail Header AnalyzerEmail Health ReportGoogle/Yahoo Compliance CheckerMicrosoft Compliance CheckerMTA-STS LookupMX Record LookupSMTP TestSPF Record Checker
Network Tools
HTTP LookupHTTPS LookupMAC Address GeneratorMAC Address LookupOnline TraceroutePingSubnet Calculator
Webmaster Tools
HTTP Headers CheckSearch Presence CheckWebsite Link AnalyzerWebsite Operating System CheckWebsite Redirect CheckerWhat is My User Agent?
Security Tools
DKIM Record GeneratorDMARC GeneratorDomain DNS Security CheckEmail Security CheckerPort ScannerSPF GeneratorSSL Certificate CheckerWebsite Vulnerability Scanner
IP Tools
ARIN LookupASN LookupIP Blacklist CheckIP Geolocation LookupWhat Is My IP
Company
All Tools DirectoryGuides & PlaybooksAbout DNSnexusContactAPI DocsPrivacy PolicyTerms & ConditionsCookie Policy
© 2026 DNSnexus — DNS, Email, Network & Security Tool Platform
All ToolsAboutContactPrivacyTerms
Home › Guides › DNS Diagnostics › How to Add a TXT Record in Amazon Route 53
DNS Diagnostics•8 min•Published 2026-03-01

How to Add a TXT Record in Amazon Route 53

Domain verification for Google Workspace, SES, or an SPF/DKIM setup on AWS almost always comes down to the same task: add a TXT record to the hosted zone in Route 53. The console form is straightforward, but Route 53's TXT-specific quoting rules — and its 255-character-per-string limit — trip up more people than the actual navigation does.

Quick Answer
In the Route 53 console, open Hosted zones → your domain → Create record, choose Simple routing, set Record type to TXT, leave Record name blank for the root domain (never type @), wrap the value in double quotes, and set a TTL (300–3600 seconds). Route 53 propagates new records to all its name servers within about 60 seconds.

What Is a TXT Record and How Route 53 Stores It

A TXT (text) record is a DNS record type that stores arbitrary text data at a hostname, defined in RFC 1035 §3.3.14. Route 53 requires every TXT value to be enclosed in double quotation marks, and per the Route 53 TXT record type documentation, each individual quoted string is capped at 255 characters. Values longer than that — a common case for DKIM public keys — must be split into multiple quoted strings on the same line: "String 1" "String 2". The combined value across all strings in one record can run up to 4,000 characters.

Route 53 also requires escaping for two ranges of special characters: octal codes 000–040 and 177–377 (control characters and extended ASCII), using the format \NNN where NNN is the three-digit octal code. A literal quotation mark inside a value needs a backslash: \". Most verification tokens and SPF/DKIM strings use only printable ASCII, so this rarely comes up — but it matters if a TXT value ever contains an accented character or a raw byte from a copy-paste error.

AWS also explicitly deprecates the legacy SPF record type: per their own guidance, "its use is no longer appropriate for SPF version 1" (aligned with RFC 7208 §14.1), and recommends publishing SPF values as a TXT record instead — which is what every major mail provider's setup instructions already assume. If you're building an SPF value from scratch, see the SPF Record Generator guide before pasting it into Route 53.

Step-by-Step: Adding a TXT Record in the Route 53 Console

  1. Sign in to the AWS Management Console and open the Route 53 service.

  2. Choose "Hosted zones" in the left navigation, then click the name of the hosted zone for the domain you're editing (for example, example.com).

  3. Click "Create record." This opens the record-creation form for that hosted zone.

  4. Choose "Simple routing" as the routing policy, then click Next, followed by Define simple record.

  5. Set Record name. Leave this field blank to create the record at the zone apex (example.com itself). For a subdomain — _dmarc.example.com or google._domainkey.example.com — enter only the subdomain portion (_dmarc or google._domainkey); Route 53 appends the zone name automatically. Unlike some registrar panels, Route 53 does not use @ to mean the root — typing @ literally creates a record for @.example.com, which is wrong.

  6. Set Record type to TXT.

  7. Enter the Value, wrapped in double quotes. Paste the exact string your provider gave you — "v=spf1 include:_spf.google.com ~all" for SPF, or the full DKIM public key block for a selector record. If the value exceeds 255 characters, split it into multiple quoted strings on the same line: "part-one-up-to-255-chars" "part-two".

  8. Set the TTL. 300 seconds (5 minutes) is a reasonable default while you're still verifying; raise it to 3600 (1 hour) once the record is confirmed working.

  9. Click "Create records." According to AWS's own documentation, changes generally propagate to all Route 53 name servers within about 60 seconds — but the third party checking the record may cache DNS answers on its own schedule, independent of Route 53's speed.

  10. Confirm the record resolves before re-checking with the verifying service — see the CLI and tool checks below.

Adding a TXT Record via the AWS CLI

For scripted or repeatable deployments, use change-resource-record-sets with a JSON change batch instead of the console:

Code
# change-batch.json
cat > change-batch.json << 'EOF'
{
  "Comment": "Add SPF TXT record",
  "Changes": [
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "example.com",
        "Type": "TXT",
        "TTL": 300,
        "ResourceRecords": [
          { "Value": "\"v=spf1 include:_spf.google.com ~all\"" }
        ]
      }
    }
  ]
}
EOF
Code
# Apply the change batch to your hosted zone
aws route53 change-resource-record-sets \
  --hosted-zone-id Z1R8UBAEXAMPLE \
  --change-batch file://change-batch.json

Note the doubled quoting in the JSON Value field — the outer "..." is JSON string syntax, and the inner \"..\" is the literal double-quote Route 53 requires around every TXT string. Use UPSERT instead of CREATE in the Action field when updating a record that already exists, since CREATE fails if a record of that name and type is already present.

Record Name Reference Table

PurposeRecord name (in Route 53)Example valueTypical caller
Root domain verification(blank)"google-site-verification=abc123..."Google Search Console
SPF record(blank)"v=spf1 include:_spf.google.com ~all"Any mail provider
DKIM selector[selector]._domainkey"v=DKIM1; k=rsa; p=MIGfMA0G..."Google Workspace, SES
DMARC policy_dmarc"v=DMARC1; p=quarantine; rua=mailto:..."DMARC report tools
ACME wildcard cert challenge_acme-challenge"[token from CA]"Let's Encrypt, cert clients
SES domain verification_amazonses"[verification token]"Amazon SES

The Record name field is the most common source of TXT failures in Route 53 — typing @ for the apex, or duplicating the domain suffix on a subdomain record, produces a record that saves successfully but never matches what the verifying service looks up.

Common Issues & Troubleshooting

Problem: The record saved, but AWS or Google can't find it during verification. Cause: usually a Record name mismatch — @ typed for the apex (Route 53 doesn't use @), or the zone name appended twice on a subdomain record (_dmarc.example.com.example.com). Fix: re-open the record and confirm Record name is blank for the apex, or exactly the subdomain portion with no trailing zone name, then re-verify with dig (below).

Problem: SPF stopped working after adding a second mail provider's TXT record. Cause: two separate v=spf1 records now exist at the same name. Per RFC 7208 §4.5, a domain must publish exactly one SPF record — two or more causes a PermError, which most receivers treat as an outright fail. Fix: merge both include: mechanisms into a single v=spf1 string and use UPSERT to replace the existing record rather than creating a second one. See the SPF Record Generator guide.

Problem: A long DKIM key gets rejected or looks truncated in the console. Cause: DKIM public keys frequently exceed the 255-character-per-string limit that Route 53 enforces on each quoted string within a TXT value. Fix: split the value into multiple quoted strings on the same line — "part1" "part2" — rather than pasting one unbroken string over 255 characters. See the DKIM Selector guide for selector-naming specifics.

Problem: change-resource-record-sets fails with "Tried to create resource record set... but it already exists." Cause: the CLI change batch used "Action": "CREATE" for a record name/type combination that's already present in the hosted zone. Fix: change the action to "Action": "UPSERT", which creates the record if it doesn't exist or replaces it if it does.

Problem: Record looks correct in Route 53 but a global checker still shows the old value. Cause: Route 53 itself propagates within about 60 seconds, but resolvers elsewhere continue serving the previous cached answer until the record's old TTL expires. Fix: wait out the previous TTL, or query Route 53's authoritative name servers directly with dig to confirm the new value already saved correctly server-side.

Key Takeaways

  • ✓ In Route 53, leave Record name blank for a root-domain TXT record — never type @, which Route 53 treats as a literal label.
  • ✓ Per Route 53's TXT format rules, each quoted string is capped at 255 characters; split longer values (common with DKIM keys) into multiple "..." "..." strings on one line, up to 4,000 characters total.
  • ✓ A domain must have exactly one v=spf1 TXT record (RFC 7208 §4.5) — a second one causes PermError, not additive stacking.
  • ✓ Route 53 propagates new records to its own name servers within about 60 seconds; downstream resolver caching (governed by the previous record's TTL) is a separate, often slower, factor.
  • ✓ Use UPSERT instead of CREATE in CLI change batches when a record of that name and type may already exist.

Frequently Asked Questions

Q: What do I put in Record name for a root-domain TXT record in Route 53?

Leave it blank. Route 53 treats an empty Record name field as the zone apex (example.com itself) — typing @ creates a record for the literal label @.example.com, which is incorrect.

Q: How long does a TXT record take to propagate in Route 53?

AWS states that changes generally propagate to all Route 53 name servers within about 60 seconds. Full global visibility can still lag behind that, since other resolvers cache the previous record until its old TTL expires.

Q: Why does Route 53 reject my long DKIM TXT value?

Each quoted string within a Route 53 TXT value is limited to 255 characters. Split the value into multiple quoted strings on the same line ("part1" "part2") instead of one string over the limit — the combined value can total up to 4,000 characters.

Q: Can I add a TXT record with the AWS CLI instead of the console?

Yes — use aws route53 change-resource-record-sets with a JSON change batch specifying "Type": "TXT" and a double-quoted Value. Use "Action": "UPSERT" if a record of that name and type might already exist, since CREATE fails on a duplicate.

Q: Do I need to escape special characters in a Route 53 TXT value?

Only if the value contains characters in the octal ranges 000–040 or 177–377 (control characters or extended ASCII) — these need a \NNN octal escape, and a literal quotation mark needs a backslash (\"). Standard SPF, DKIM, and verification-token strings rarely require this.

Q: Why does my SPF record still fail after I fixed the TXT record?

Check for a duplicate v=spf1 record at the same name first — that's the most common cause of PermError. If there's only one, confirm you're under the 10-DNS-lookup limit per RFC 7208 §4.6.4, since include: mechanisms count toward it even after the syntax is correct.

Next Steps

Once the record is saved, confirm it resolves correctly with the DNS Lookup tool and check global propagation with the DNS Propagation Checker. If verification still fails after the record looks correct, confirm your domain's name servers actually point to Route 53 using the NS Lookup tool, or check for a stale reverse mapping with Reverse DNS Lookup. For deeper background on TXT record syntax and other record types, see DNS TXT Records Explained. Managing DNS at a different provider instead? See How to Add a TXT Record in Cloudflare, How to Add a TXT Record in GoDaddy, How to Add a TXT Record in Namecheap, or How to Add a TXT Record in Porkbun for the equivalent steps.

Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.

On this page
  • What Is a TXT Record and How Route 53 Stores It
  • Step-by-Step: Adding a TXT Record in the Route 53 Console
  • Adding a TXT Record via the AWS CLI
  • Record Name Reference Table
  • Common Issues & Troubleshooting
  • Key Takeaways
  • Frequently Asked Questions
  • Next Steps
Related links
Dns LookupDns Propagation CheckerNs LookupReverse DnsDns Txt Records ExplainedSpf Record Generator Guide
Related Tools
DNS Propagation Checker→DNS Check→DNS Lookup→A Record Lookup→