Lots of services need to validate ownership of a domain. Especially for sending email or creating SSL certificates

Creating a TXT record at the domain root (@) is a common practice and I think it should be avoided. Many services like to request adding things to this same record. That creates several concerns:

  1. It leaks information about what 3rd-party services you use (or have used). This is a minor security issue, but is not necessary
  2. The process for adding multiple lines to a single records is inconsistent between various services, meaning that instructions have to be service-specific. Instructions for GoDaddy are different than on CloudFlare
  3. Most services don’t have comments on DNS records, and the names of the records are often not self-explanatory. You end up with many lines and don’t know which is for which service. To make matters worse, records are rarely removed when you stop using a service, so it becomes an ever-growing list

A better practice is to use either TXT or CNAME records for specific hostnames (ie: google-verification-randomstring.mydomain.com) that contain a verification string or hostname. This avoids all of the problems above. The name can’t be guessed, and each record is separate. And either the hostname or value should indicate what service the record is for. Having a random value like 25376de5f10046a853b1395e756cbf66 doesn’t help me know what service it belongs to (I’m looking at you AWS Certificate Manager?)