Free SPF & DMARC Record Generator
Tell us who sends email for your domain and get copy-paste DNS records - with lookup-limit checks and a safe rollout path from monitoring to full enforcement.
Who sends email for your domain?
How should unlisted senders be treated?
v=spf1 include:_spf.google.com ~allA domain must have exactly ONE SPF record. If you already have one, merge the include: entries into it instead of adding a second record.
After publishing: DNS changes take minutes to a few hours to propagate. Then run our email deliverability checker to confirm everything resolves correctly. Gmail and Yahoo now require SPF or DKIM plus DMARC for anyone sending bulk email - these records are no longer optional.
How to publish these records
Both records are TXT records added wherever your domain's DNS lives - usually your registrar (Namecheap, GoDaddy) or Cloudflare. The SPF record goes at the root of your domain (host "@"); the DMARC record goes at the host "_dmarc". Save, wait a few minutes to a few hours for DNS propagation, then verify with our email deliverability checker. Critical rule: a domain may have only ONE SPF record - if one already exists, merge the include: entries from this builder into it rather than adding a second.
The safe DMARC rollout path
Going straight to p=reject can silently kill legitimate mail you forgot about - an old invoicing tool, a CRM, a form plugin. The proven path: start at p=none with a reporting address (rua), watch the aggregate reports for two to four weeks to confirm every legitimate sender passes, then step up to p=quarantine, and finally p=reject. The pct setting lets you apply the stricter policy to a fraction of mail first - a further safety valve for cautious rollouts.
Frequently Asked Questions
~all (softfail) asks receivers to treat unlisted senders with suspicion - typically spam-foldering; -all (hardfail) tells them to reject outright. Start with ~all, and move to -all once you are confident every legitimate sending service is in the record.
The SPF standard caps the DNS queries a receiver will perform at 10; beyond that the check returns a permanent error, as if the record were broken. Each include: typically costs at least one lookup. This builder counts them and warns you before you cross the line.
No - exactly one per domain. Two SPF records cause a permanent SPF failure at receivers, the same as having none. If you add a new email service, append its include: mechanism to your existing record instead of creating another.
Any mailbox you control - a dedicated alias like [email protected] keeps the XML report emails out of your main inbox. The reports show which servers send as your domain and whether they pass authentication - the evidence you need before tightening the policy.
They fix the authentication half, which is foundational and now mandatory for bulk senders to Gmail and Yahoo. Sender reputation, list quality, engagement, and content still matter - but without SPF, DKIM, and DMARC in place, none of the rest gets a fair hearing.
Records Published but Emails Still Underperforming?
Authentication gets you to the inbox; strategy gets you opened. We build email programs - deliverability, automation, and campaigns that drive revenue.