How to Query TXT Records (SPF/DKIM/DMARC) Using nslookup on Windows


2 views

When troubleshooting DNS configurations or verifying email authentication records (SPF, DKIM, DMARC), querying TXT records is essential. The Windows nslookup tool can accomplish this, but requires proper syntax.

For Windows 7/10/11, use this command structure:

nslookup -q=TXT example.com

Or the alternative format:

nslookup
set type=TXT
example.com

Problem: Getting "Non-existent domain" error
Solution: Ensure you're querying the actual domain (not subdomain) and that DNS is properly configured.

Problem: Only getting SOA records in response
Solution: Verify the domain has TXT records using online tools like digwebinterface.com or mxtoolbox.com

Querying SPF record:

nslookup -q=TXT google.com

Querying DMARC record:

nslookup -q=TXT _dmarc.google.com

For more detailed DNS information:

  • Resolve-DnsName (PowerShell): 
    Resolve-DnsName -Type TXT example.com -Server 8.8.8.8
  • dig (from BIND package): 
    dig example.com TXT

A typical TXT record response looks like:

Non-authoritative answer:
example.com text =
    "v=spf1 include:_spf.google.com ~all"

This shows Google's SPF record allowing emails from their servers.

Windows nslookup can be tricky when querying TXT records due to its interactive behavior. The command you tried:

nslookup -type=TXT example.com

Actually works, but might not show results immediately because nslookup enters interactive mode. Here's how to get direct output:

Method 1: Non-interactive Single Command

nslookup -type=TXT example.com 8.8.8.8

Adding a DNS server (like Google's 8.8.8.8) forces non-interactive mode and shows results immediately.

Method 2: Using Interactive Mode Properly

nslookup
> set type=TXT
> example.com
> exit

For more powerful DNS queries:

  • dig (via BIND tools): dig example.com TXT
  • PowerShell: Resolve-DnsName example.com -Type TXT

For SPF (a common TXT record type) verification:

nslookup -type=TXT google.com 8.8.8.8

Non-authoritative answer:
google.com text =

        "v=spf1 include:_spf.google.com ~all"
        "facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
  • If using corporate DNS, try public DNS (8.8.8.8, 1.1.1.1)
  • For long TXT records, ensure your terminal width can display full lines
  • Check for typos in the domain name

nslookup displays TXT records with quotes and line breaks. Multiple strings in a record are concatenated when used by applications.