SPF & DMARC Record Generator
Create and customize SPF and DMARC DNS records for your domain to improve email deliverability and security.
What the generator creates
This tool helps draft SPF and DMARC TXT records for domains that send email through their own servers, Google Workspace, Microsoft 365, marketing platforms, or other SaaS providers.
SPF mechanisms to understand
SPF records can use a, mx, ip4, ip6, include, exists, and an ending such as ~all or -all. Include only systems that are allowed to send mail for the domain.
Example Google Workspace SPF: v=spf1 include:_spf.google.com ~all. Example Microsoft 365 SPF: v=spf1 include:spf.protection.outlook.com -all.
DMARC policy basics
DMARC starts with monitoring using p=none, then can move to quarantine or reject after SPF/DKIM alignment is verified. Aggregate reports use rua=mailto:; forensic reports use ruf=mailto: and may contain sensitive data.
Where to publish records
SPF is published as a TXT record on the sending domain, usually example.com. DMARC is published at _dmarc.example.com. Avoid multiple SPF TXT records on the same host.
Related tools
Validate records with Email Auth Checker, inspect DNS with DNS Lookup, flatten complex SPF with SPF Flattener, and test delivery with SMTP Tester.
DMARC Rollout Strategy: None → Quarantine → Reject
Never start with p=reject. Begin with p=none; rua=mailto:reports@example.com — monitor for 2-4 weeks while collecting aggregate reports. Verify all legitimate senders pass SPF and DKIM with alignment. Then move to p=quarantine; pct=10 — apply quarantine to 10% of failing mail. Gradually increase pct to 100. Finally switch to p=reject when you are confident no legitimate mail is failing authentication.
CLI Equivalent
dig +short example.com TXT | grep spf
# Show current DMARC:
dig +short _dmarc.example.com TXT