Incorrect TXT record "v=spf1 -all" found at

I have a local domain:, which is the Domain name for my application Domino Lotus Note.

Therefore, I would like to create a wild-card domain for IAM services., *

However, I run the following commands with the following error.

certbot certonly --manual --preferred-challenges dns -m -d -d *
Saving debug log to C:\Certbot\log\letsencrypt.log
Requesting a certificate for and *
letsencrypt.log..txt (9.2 KB)

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Type: unauthorized
Detail: Incorrect TXT record "v=spf1 -all" found at

Type: unauthorized
Detail: Incorrect TXT record "v=spf1 -all" found at

Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.

Some challenges have failed.
Ask for help or search for solutions at See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

I have add one more txt when the system is request.

1 Like

You say "local domain". Is that domain name actually in your posession and under your controle? I.e., will remote DNS servers be able to resolve the resource records for this domain?


Yes, I could, so that I could attached a dump screen with DNS name:
I have a web application that is using the same domain name to show the records at Domino Lotus Notes.

1 Like

Are you sure that it doesn't work for you due to split DNS / being in some internal network / VPN?

1 Like

To clarify what Osiris is asking you: is actually registered to you or your organisation? Like, your organisation is the official registrant of the domain, according to ICANN?

It appears to be owned by a domain portfolio company. I am not convinced that you own the domain.

You will be unable to get a Let's Encrypt certificate for this domain, unless you have control this domain on the internet. Having the domain resolve on your internal network is not sufficient.


No. It is just internal domain only, not official registered according to ICANN.
What your meaning that I could not create a Let's Encrypt certificate for the internal testing domain.

What should I do, if I required a trust CA certificate for the testing environment ?

It is just an internal testing network, that should not connect to the Internet.

1 Like

You cannot obtain valid certificates (in the sense of: trusted by browsers without installing your own root CA certificate) from any public CA for an internal domain name. Neither from Let's Encrypt, nor from any other public CA. This is part of the CA/B Forum Baseline Requirements that all browsers and CAs agreed upon (Baseline Requirements | CAB Forum).


To elaborate on why this is:

Anyone could generate a non-publicly trusted certificate for any hostname. E.g., I could generate a certificate for using my own locally generated CA. If my locally generated CA would be trusted by browsers, I could do a Man in the Middle attack for!

Luckily, browsers only trust, by default, a certain set of root certificates of publicly trusted CAs. And these CAs need to abide to the rules mentioned earlier to keep the trust in their certificates. Without trust, the whole system collapses.


That entry would only answer to:[unknown-chararcter-zone]


why I change to use the domain name, the result is still failed.
Sure I would have the access rights of, since my valid email is [redacted]

letsencrypt-.log.txt (1.0 KB)

Having an email address at a domain doesn't automatically give anyone the right to add TXT records into the domain zone.

You would need to add a TXT record into the authoritative DNS servers for that domain, namely:   nameserver =   nameserver =

[which is likely by way of a GoDaddy domain control web page/panel]


I have add the TXT file, but still failed.

letsencrypt.log.AddTxt.txt (27.2 KB)

You need to put the txt record in the public facing DNS server, not the local server. If you do actually control that domain

It would need to resolve globally


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.