Build SPF, DKIM, and DMARC records in one place. This version is single-column, includes provider presets,
copy buttons, recommendations, SPF lookup estimation, DMARC reporting help, and guidance on where to get DKIM values.
1. Domain
What to enterRecommended
Enter the exact domain you are configuring, like example.com. Do not include https://,
slashes, or an email address.
Recommendation: Start with your root sending domain. If marketing or bulk mail uses a different subdomain,
consider using a separate subdomain like mail.example.com for better isolation and reporting.
2. Provider preset
How to useFaster setup
Pick your mail provider to prefill common SPF values and DKIM selector suggestions. You can still edit everything manually.
3. SPF record
What SPF isWatch lookup limitRecommended
SPF tells receiving mail systems which servers are allowed to send mail for your domain.
Keep SPF as short as possible. The practical processing limit is 10 DNS lookups.
Recommendation: Use -all once you're confident the record is complete.
Use ~all only during a short transition or testing period.
4. DKIM record
What DKIM isWhere to get itRecommended
DKIM adds a cryptographic signature to outbound email so receiving systems can verify it was sent by an authorized source and was not altered in transit.
Where the DKIM info comes from
Microsoft 365: Defender DKIM settings
Google Workspace: Admin Console → Apps → Google Workspace → Gmail → Authenticate Email
SendGrid: Settings → Sender Authentication
Proofpoint: Domains → Configure DKIM
What you usually receive
A selector like selector1 or google
Either a TXT public key or a CNAME target
Instructions from the mail provider for exactly what DNS record to publish
Open DKIM setup pages
These links are meant to take the user to the right admin area after login when the provider supports a stable page URL.
Click the provider link and sign in with an admin account.
If the platform supports deep linking, it should open the DKIM setup page directly.
If not, it should still land you close to the correct admin area.
Proofpoint does not appear to expose a universal tenant deep link, so this one opens the official setup guide.
Recommendation: Enable DKIM in your mail platform first, then copy the exact selector and target/public key it provides.
If the provider offers 2048-bit DKIM, use that unless they document otherwise.
5. DMARC policy
What DMARC isHow to enter itRecommended rollout
DMARC tells receiving mail systems what to do when SPF or DKIM checks fail, and where to send aggregate reports.
It is the policy layer that ties SPF and DKIM together.
Recommended rollout
Start with p=none to monitor
Move to p=quarantine after validation
Move to p=reject when all senders are aligned
Reporting advice
Create a real mailbox like dmarc@yourdomain.com
Review reports regularly, especially after changes
Use a mailbox or service you will actually monitor
6. Recommendations
Best practiceBefore publishing
These recommendations are general and safe defaults for most organizations. Adjust them based on your actual sending systems.
Recommended defaults
Use only the SPF includes you truly need
Enable DKIM for every outbound platform
Use a dedicated DMARC mailbox
Publish DMARC only after SPF and DKIM are working
Common mistakes to avoid
Putting two SPF TXT records on the same host
Leaving old providers in SPF after migration
Using the wrong selector from the mail platform
Going straight to DMARC reject before testing
For Microsoft 365, Microsoft often uses DKIM CNAME records rather than a pasted TXT public key.
For Google Workspace, the selector is often google unless you generated a custom one.
For SendGrid and some secure email gateways, authentication may create multiple DNS records, not just one.
7. Generate records
Ready to build
Click generate to build DNS-ready values. The buttons stay above the output section as requested.
8. Output
Copy and paste into DNS
These are generated helper values. Always compare them against your provider's official setup instructions before publishing.
SPF record
SPF output will appear here.
DKIM record
DKIM output will appear here.
DMARC record
DMARC output will appear here.
Notes: SPF should exist only once per hostname. DKIM is supplied by the sending platform. DMARC works best after SPF and DKIM are both passing alignment checks.