SPF & DMARC Record Generator
Answer a few questions and get copy-paste ready SPF and DMARC TXT records, with a built-in check for the SPF 10-lookup limit.
SPF Record
Select every service that sends mail using your domain, then add any of your own servers.
One per line or comma-separated.
One per line or comma-separated.
Adds an include: for each. One per line or comma-separated.
DMARC Record
DMARC tells receivers what to do when a message fails SPF or DKIM, and where to send reports.
Where daily summary reports are sent.
Optional. Per-message failure copies.
Share of mail the policy applies to.
Applied to both SPF and DKIM alignment.
How To Use These Records
Email authentication rests on two records you publish in DNS. SPF lists the servers allowed to send mail for your domain. DMARC ties the results together and tells receivers what to do when a message fails. This tool builds both. The third piece, DKIM, is generated by your sending platform rather than by hand — more on that below.
Anatomy Of An SPF Record
An SPF record is a single TXT record that begins with v=spf1 and ends with an all qualifier. Between them sit mechanisms that authorize senders: include: for a third-party service, ip4: and ip6: for your own servers, and a or mx to authorize the addresses already in your DNS. The qualifier at the end decides the verdict for everyone else.
Start with ~all while you confirm every legitimate sender is listed. Once you are confident, tighten to -all so unauthorized mail is rejected. Avoid +all — it authorizes the entire internet to send as your domain.
The 10-Lookup Limit
SPF allows a maximum of ten DNS lookups when a receiver evaluates your record. Each include, a, and mx mechanism counts against that budget, and many provider includes consume several lookups on their own. Exceed ten and the record returns a PermError, which causes legitimate mail to fail. This generator counts your top-level mechanisms and warns you as you approach the limit. When you are close, consolidate senders or use a single provider that relays the rest.
Anatomy Of A DMARC Record
A DMARC record is a TXT record published at _dmarc.yourdomain. It starts with v=DMARC1 and a policy: p=none monitors without enforcing, p=quarantine sends failures to spam, and p=reject blocks them. The rua tag is the address that receives the daily aggregate reports that show you who is sending as your domain.
Roll out in stages. Begin at p=none with a reporting address and watch the reports for a couple of weeks. Move to quarantine, then to reject only once the reports show your legitimate mail passing. Jumping straight to reject before you have read your reports is the most common way to lose real mail.
Where To Publish Each Record
Both records are TXT records, added at your DNS host or domain registrar. Publish the SPF record on the domain root. Publish the DMARC record on the _dmarc hostname. The exact host field each provider expects appears beneath each record above.
What About DKIM?
DKIM is not something you write by hand. Your email platform generates a public and private key pair, keeps the private key, and gives you a public-key TXT record to publish at a selector hostname it chooses. Follow your provider’s DKIM setup, publish the record they give you, then confirm all three are live with the SPF, DKIM, and DMARC checker.
Related Tools & Resources
After publishing, verify everything with the email authentication checker and confirm the records resolved using the DNS record checker or the DNS propagation checker. To inspect mail routing, run an MX lookup. For background, read about reverse DNS and deliverability and every DNS record type. Browse the full networking tools hub.