Overview

How TXT resource records work
To quote or not to quote?
You don't always need spaces
The invalid record data error
Conclusion
See also

How to enter TXT values in Google Cloud DNS

Google's popular Cloud DNS service is mostly excellent, but the interface is rather confusing when it comes to adding TXT type resource records.

If you are not careful, Google will effectively strip all whitespace from your input. Also, when trying to enter a long text, such as a DKIM public key, you might encounter an undescriptive invalid record data error.

screenshot showing "invalid record data" error in Google Cloud DNS — The undescriptive *invalid record data* error

In this article we'll dive into the background on why this error occurs and how you can solve it.

TL;DR: You'll need to split long values into parts of 255 characters and wrap your input in double quotes. You can use our DNS record splitter to do that.

Both these issues are filed in the Google Issue Tracker, see here and here.

How `TXT` resource records work

As defined in RFC1035, a DNS TXT resource record contains one or more <character-string> structures. A <character-string> is a structure that is used extensively in DNS to transfer text strings. It consists of a length byte, followed by that number of text characters.

Because the length indicator is only 1 byte in size, the maximum length of a <character-string> is 255 characters (bytes). This is also the reason why domain names have a maximum length of 255 characters.

Sometimes more than 255 characters of length is needed, so a TXT resource record can contain multiple <character-string> structures. A DNS client must combine all the parts into one single value to reconstruct the original text. No whitespace is to be added in between the parts.

To quote or not to quote?

When using Google Cloud DNS, the first thing you might notice is that Google wants you to wrap a TXT value with double quotes if it contains spaces. If you don't add quotes, every word in the value will be stored (and thus served) as a separate <character-string>.

screenshot showing whitespace warning in Google Cloud DNS — Google wants you to wrap a strings in quotes

So if you enter value this is a TXT record without quotes as TXT data on Google Cloud DNS, Google will actually serve 5 <character-string> structures in the TXT resource record. These parts will be combined by a DNS client without whitespace.

Using dig, we see the result:

mailhardener.com.       300   IN      TXT     "thisisaTXTrecord"

Note that the quotes in the result are added by dig for readability, they were not in the response from the DNS service.

Almost all other DNS service providers assume that you want to include the whitespace characters, so they will not require you to add quotes.

One of the most common mistakes with SPF configuration is double quoting, which comes as no surprise given the ambiguity of quote requirements by DNS service providers.

You don't always need spaces

For DKIM, DMARC, MTA-STS and SMTP TLS reporting DNS records, you don't actually need spaces and so you don't really need quotes either.

Take for example this DMARC record:

v=DMARC1; p=reject; rua=mailto:dmarc@in.mailhardener.com

The key/value pairs are separated by a semicolon, any whitespace is ignored.

So you could also write it as:

v=DMARC1;p=reject;rua=mailto:dmarc@in.mailhardener.com

Both configurations do exactly the same, although the latter is less readable.

So, for most email security related records you can actually ignore the warning and enter your TXT data value without quotes into Google Cloud DNS.

The only exception here is SPF, because SPF actually uses whitespace as the separator for the matching terms. When working with SPF you must use quotes. Again, note that this requirement is pretty specific to Google Cloud DNS, other DNS service providers might not require these quotes and setting them will cause double quoting. Always double-check your changes with dig.

The invalid record data error

When inserting a long string into the Google Cloud DNS interface, you might encounter an undescriptive invalid record data error.

The invalid record data error is returned by Google when TXT data input is longer than 255 characters. This usually happens with DKIM records, as those tend to be quite long.

To fix this, you'll need to split your string into 255 character parts.

That's right, the biggest automation company on the planet wants you to manually break your record in 255 byte parts. They won't do it for you. Just about every other DNS service provider will automatically split your input into multiple <character-string> structures, but not Google.

You can use our DNS record splitter to split and quote a DKIM record in a format suitable for Google Cloud DNS.

DKIM will work without whitespace, but if you want to maintain whitespace for readability you should also quote the parts individually.

Conclusion

The Google Cloud DNS web interface is rather confusing when working with TXT type resource records.

When working with TXT resource records in Google Cloud DNS, follow these rules:

Always quote SPF records
You must split long values (such as DKIM) into 255 character parts
Quoting DKIM, DMARC, MTA-STS and SMTP TLS reporting records is optional

In almost all cases you would want to retain whitespace if you add it, so we believe the quote requirement is a bad UI decision from Google. Similarly, we believe Google shouldn't bother its users with manually working around the length limitations of DNS.

There is a support ticket about long text input support in the Google issue tracker, and we have opened a feature request about removing the quote requirement.