SPF / DMARC / DKIM Record Builder — Generate DNS Email Records

Build SPF, DMARC, and DKIM DNS records visually with live preview, validation, and one-click copy. Generate DKIM RSA key pairs in your browser. Includes presets, plain-English explanations, and DNS lookup commands. Runs in your browser — nothing is sent to a server.

Email DNS Record Builder

SPF Record Builder TXT record on root domain
DNS Record
v=spf1 mx -all
DKIM Key Generator RSA key pair generated in your browser
DMARC Record Builder TXT record on _dmarc.domain
DNS Record
v=DMARC1; p=none
Combined DNS Records All three records together
SPF — TXT record on @
v=spf1 mx -all
DKIM — TXT record on selector1._domainkey.example.com
Generate keys in the DKIM tab first
DMARC — TXT record on _dmarc.example.com
v=DMARC1; p=none
DNS Lookup Guide

After adding these records to your DNS provider, verify them with these commands:

Check SPF
dig TXT example.com +short | grep "v=spf1" nslookup -type=TXT example.com
Check DKIM
dig TXT selector1._domainkey.example.com +short nslookup -type=TXT selector1._domainkey.example.com
Check DMARC
dig TXT _dmarc.example.com +short nslookup -type=TXT _dmarc.example.com
Online Check

You can also use online tools to verify your records: MXToolbox, DMARC Analyzer, or Kitterman SPF Validator.

How to Use the Email Record Builder

  1. Enter your domain name at the top — all records and lookup commands update automatically.
  2. SPF tab — add mechanisms (include, mx, a, ip4, ip6) to specify which servers can send email for your domain. Use presets for common providers.
  3. DKIM tab — choose a selector and key size, then click Generate Keys. Publish the TXT record value in DNS and keep the private key secret.
  4. DMARC tab — set your policy (none/quarantine/reject), reporting addresses, and alignment mode. Start with "none" to monitor before enforcing.
  5. Combined View — see all three records together with ready-to-use dig commands to verify they're published correctly.
  6. Copy any record with the Copy button, then paste it into your DNS provider's control panel.

Understanding SPF, DKIM, and DMARC

SPF (Sender Policy Framework) specifies which IP addresses and mail servers are authorized to send email on behalf of your domain. It's published as a TXT record on your root domain. Receiving servers check the envelope sender against your SPF record to verify the message wasn't spoofed.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. The public key is published in DNS, and receiving servers use it to verify the message wasn't modified in transit. This provides email integrity and authentication.

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers what to do when SPF or DKIM checks fail, and where to send aggregate and forensic reports. It ties SPF and DKIM together with alignment requirements.

Best practice: Start with DMARC policy none to collect reports, review them for 2-4 weeks, then move to quarantine and eventually reject once you're confident legitimate mail is passing authentication.

Frequently Asked Questions

SPF verifies the sending server's IP is authorized. DKIM proves the email wasn't tampered with using cryptography. DMARC tells receiving servers how to handle failures and where to send reports. All three work together for comprehensive email authentication.

Yes. Start with p=none to monitor your email ecosystem without affecting delivery. Review aggregate reports (rua) for 2-4 weeks to identify all legitimate sending sources, then graduate to quarantine and finally reject.

2048-bit is the current recommended standard. 1024-bit keys are still accepted but considered weak for long-term use. Some older systems have issues with 2048-bit keys due to DNS TXT record length limits — if you encounter issues, 1024-bit is a fallback. Always use at least 1024-bit.

SPF has a DNS lookup limit of 10 mechanisms that trigger lookups (include, mx, a, exists, redirect). Each nested include counts as a lookup. Exceeding 10 causes a PermError. Use ip4/ip6 where possible to avoid using lookups.

Relaxed (r): subdomains of the From domain are allowed to align (e.g., mail.example.com aligns with example.com). Strict (s): only an exact domain match is accepted. Relaxed is the default and works for most setups. Strict is more secure but can break if you use subdomains for sending.

Yes. Use different selectors (e.g., selector1, selector2, google) for each key. This is common when you use multiple email providers or want to rotate keys without downtime. Each key is published at selector._domainkey.yourdomain.com.

Use Cases

SPF Record Setup

Set up SPF records for domain authentication to specify which mail servers are authorized to send email on behalf of your domain.

DKIM Configuration

Configure DKIM for email signing to add cryptographic signatures that verify email integrity and prevent tampering in transit.

DMARC Policy Creation

Create DMARC policies to tell receiving servers how to handle authentication failures and where to send reporting data.

Email Spoofing Prevention

Prevent email spoofing by implementing proper authentication records that verify sender identity and domain ownership.

Deliverability Troubleshooting

Troubleshoot email deliverability issues by verifying and optimizing your SPF, DKIM, and DMARC records for better inbox placement.

Related Tools

Mail Header Analyzer

Analyze email headers for authentication results

Hash Calculator

MD5, SHA-1, SHA-256 hash generator

Email Records

Build and verify email DNS records