Domain Security Info
Tags
Updated May 1, 2026, 8:32 AM
Managing tags#
Tags are pattern-matching rules that identify services in DNS records. When a domain's DNS record matches a tag pattern, the tool displays a colored badge showing the service name. There are three types of tags: TXT record tags, MX record tags, and NS record tags.
How tags work#
- A user looks up a domain.
- The tool fetches the domain's DNS records.
- For each DNS record, the tool checks the tag database for a matching pattern.
- If a match is found, the tool displays the associated brand badge and service name.
Without tags, DNS records would appear as raw text with no identification. Tags turn aspmx.l.google.com into a badge that says "Google Workspace."
TXT record tags#
TXT record tags identify services in TXT records. TXT records are used for email authentication (SPF), domain verification, and many other purposes.
How TXT tag matching works#
The tool tries three matching methods in order:
- Exact match โ The TXT record exactly equals the pattern (case-insensitive).
- Prefix match โ The TXT record starts with the pattern. This is the most common method.
- Regex match โ The TXT record matches a regular expression pattern. This is for complex patterns.
The tool stops at the first match.
TXT tag fields#
| Field | Required | Description |
|---|---|---|
| Pattern | Yes | The text to match against TXT records. For prefix matching, use the beginning of the record (for example, google-site-verification=). |
| Brand | No | The associated brand. Determines the badge color and name. |
| Service name | No | A custom name for the service (for example, "Google Search Console"). If not set, the brand name is used. |
| Color | No | Override the brand's default color for this specific tag. |
| URL | No | A link to the service. Makes the badge clickable. |
Common TXT tag patterns#
| Pattern | Service |
|---|---|
| v=spf1 | SPF email authentication |
| google-site-verification= | Google Search Console |
| MS= | Microsoft 365 |
| facebook-domain-verification= | Meta (Facebook) |
| stripe-verification= | Stripe |
| docusign= | DocuSign |
| atlassian-domain-verification= | Atlassian |
| apple-domain-verification= | Apple |
| _globalsign-domain-verification= | GlobalSign |
| amazonses: | Amazon SES |
Creating a TXT tag#
- Go to TXT Tags in the navigation.
- Click Add TXT Tag.
- Enter the pattern. Use the beginning of the record for prefix matching. Include the
=sign if the record format uses one. - Select a brand from the dropdown (or leave blank for an unbranded tag).
- Enter a service name (optional โ defaults to the brand name).
- Enter a color override (optional โ defaults to the brand color).
- Enter a URL (optional โ makes the badge clickable).
- Click Save.
Tips for TXT patterns#
- Include the delimiter. For verification records, include the
=sign:google-site-verification=(not justgoogle-site-verification). - Be specific enough to avoid false positives.
v=spf1is a good pattern because only SPF records start with it. - Use prefix matching when possible. It's simpler and faster than regex.
- Test your pattern by looking up a domain that has the record you're trying to match.
MX record tags#
MX record tags identify email providers in MX (mail exchange) records.
How MX tag matching works#
The tool tries two matching methods in order:
- Exact match โ The MX record hostname exactly equals the pattern (case-insensitive).
- Suffix match โ The MX record hostname ends with the pattern. This is the most common method.
MX tag fields#
| Field | Required | Description |
|---|---|---|
| Pattern | Yes | The text to match against MX hostnames. For suffix matching, use the end of the hostname (for example, .google.com). |
| Brand | No | The associated brand. |
| Service name | No | A custom name (for example, "Google Workspace", "Microsoft 365"). |
| Color | No | Override the brand's default color. |
| URL | No | A link to the service. |
Common MX tag patterns#
| Pattern | Service |
|---|---|
| .google.com | Google Workspace |
| .protection.outlook.com | Microsoft 365 |
| .pphosted.com | Proofpoint |
| .mimecast.com | Mimecast |
| .mailgun.org | Mailgun |
| .messagelabs.com | Broadcom Email Security |
| .zoho.com | Zoho Mail |
| .qq.com | Tencent QQ Mail |
Creating an MX tag#
- Go to MX Tags in the navigation.
- Click Add MX Tag.
- Enter the pattern. Use the end of the hostname (including the leading dot) for suffix matching.
- Select a brand, enter a service name, color, and URL as needed.
- Click Save.
Tips for MX patterns#
- Include the leading dot for suffix matching:
.google.com(notgoogle.com). This prevents matching a domain likenotgoogle.com. - Use the broadest suffix that's still accurate.
.google.commatches all Google MX servers. - Check that the pattern doesn't accidentally match unrelated services.
NS record tags#
NS record tags identify DNS providers in NS (nameserver) records.
How NS tag matching works#
The tool tries several matching methods:
- Verified domain inheritance โ If the nameserver hostname is under a verified domain, it inherits the verified domain's brand.
- Special patterns โ Some providers use unique patterns (like
.awsdns-for AWS Route 53). - Exact match โ The NS record hostname exactly equals the pattern.
- Suffix match โ The NS record hostname ends with the pattern.
NS tag fields#
| Field | Required | Description |
|---|---|---|
| Pattern | Yes | The text to match against nameserver hostnames. |
| Brand | No | The associated brand. |
| Service name | No | A custom name (for example, "Cloudflare DNS", "AWS Route 53"). |
| Color | No | Override the brand's default color. |
| URL | No | A link to the service. |
Common NS tag patterns#
| Pattern | Service |
|---|---|
| .ns.cloudflare.com | Cloudflare DNS |
| .awsdns- | AWS Route 53 |
| .googledomains.com | Google Cloud DNS |
| .azure-dns.com | Azure DNS |
| .nsone.net | NS1 |
| .dynect.net | Oracle Dyn |
| .ultradns.com | Neustar UltraDNS |
| .domaincontrol.com | GoDaddy DNS |
Creating an NS tag#
- Go to NS Tags in the navigation.
- Click Add NS Tag.
- Enter the pattern. For most providers, use the domain suffix.
- Select a brand, enter a service name, color, and URL as needed.
- Click Save.
Tips for NS patterns#
- AWS Route 53 uses a special pattern โ
.awsdns-โ because Route 53 nameservers use dynamic naming likens-1234.awsdns-56.org. - Some providers use multiple domains for their nameservers. You may need multiple tags for the same brand.
- Verified domain inheritance means you don't always need NS tags. If the nameserver domain is a verified domain, the brand is inherited automatically.
Searching and filtering tags#
All tag pages support:
- Search โ Filter by pattern text (partial matches work).
- Brand filter โ Show only tags for a specific brand.
- Sort โ Sort by pattern, brand, creation date, or usage count.
Bulk operations#
You can import multiple tags at once:
- Go to the appropriate tag page (TXT, MX, or NS).
- Click Bulk Import.
- Provide tag data in JSON or CSV format.
- Review the preview to check for errors.
- Click Import.
Tag performance caching#
When looking up a domain with many similar DNS records, the tool uses per-request caching to avoid redundant database queries:
- NS and MX records: Cached by domain suffix. If
ns1.google.comandns2.google.comboth match the same tag, the database is only queried once. - TXT records: Cached by record prefix. If multiple
google-site-verification=records exist, the database is only queried once.
This caching is automatic and invisible to admin users. It improves performance without affecting accuracy.
Revision history#
Every tag change is recorded. Each revision shows what changed, when, and who made the change. You can view the revision history from the tag's detail page.