Build correct SPF, DMARC, and DKIM DNS TXT records without memorising the syntax. Fill in the fields — IPs, include domains, policy, reporting addresses, DKIM selector and public key — and copy the ready-to-paste record strings instantly.
Paste the public key from your mail provider to build the TXT record.
DNS TXT record — <selector>._domainkey.your-domain.com
v=DKIM1; k=rsa; p=
Host name: default._domainkey
Send output to:
Advertisement
How to use DMARC / SPF / DKIM Generator
Enter the allowed IP addresses and include domains for your SPF record, choose a fail policy, and copy the generated TXT value to the @ record of your domain.
Select a DMARC policy (none to start monitoring, quarantine or reject for enforcement), add your reporting email addresses, and copy the record to _dmarc.your-domain.com.
Paste your DKIM public key from your mail provider, set the selector and key type, then copy the TXT record to <selector>._domainkey.your-domain.com.
What is DMARC / SPF / DKIM Generator?
SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) are three DNS-based email authentication standards that work together to prevent spoofing and phishing. Without them, anyone can forge your domain in the From header of an email.
SPF lists the mail servers authorised to send on behalf of your domain. DKIM adds a cryptographic signature to outgoing messages that receiving servers verify against a public key published in DNS. DMARC ties the two together with a policy that tells receiving servers what to do with messages that fail authentication, and where to send aggregate and forensic reports.
Advertisement
FAQ
Where do I publish these DNS records?
SPF goes as a TXT record on your bare domain (@ or example.com). DMARC goes on _dmarc.example.com as a TXT record. DKIM goes on <selector>._domainkey.example.com — the exact selector is provided by your email service provider.
Which DMARC policy should I start with?
Always start with p=none to collect reports without affecting mail delivery. Once you have analysed the rua reports and confirmed all legitimate senders are covered by SPF or DKIM, advance to p=quarantine and then p=reject.
Where do I get my DKIM public key?
Your email service provider (Google Workspace, Microsoft 365, SendGrid, Mailgun, etc.) generates the RSA or Ed25519 key pair for you. Find the public key in their admin panel under DKIM or domain authentication settings, then paste the Base64 value here.
We use cookies to serve advertising and analyze traffic. By clicking "Accept", you agree to our use of cookies. See our Cookie Policy.
T
Install 1Stop Tools
Use 1000+ tools offline. Free, no signup.
Ad blocker detected
1Stop Tools is 100% free. Please consider whitelisting our site in your ad blocker to support us. The ads are non-intrusive and keep these tools alive.
Keyboard shortcuts
Focus search bar/
Open this dialog?
Random toolg r
All toolsg t
Browse tagsg a
Homepageg h
Close dialog / dropdownsEsc
Most shortcuts ignore when you're typing in a text field.