liminfoDMARC/SPF/DKIM Generator
Free web tool: DMARC/SPF/DKIM Generator
DMARC Record
DNS TXT Record: _dmarc.example.com
v=DMARC1; p=reject; adkim=s; aspf=sSPF Record Helper
DNS TXT Record: example.com
v=spf1 include:_spf.google.com ~allDKIM
DKIM (DomainKeys Identified Mail) uses a selector and public key. The DNS record format is:
selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE"Your email provider (Google Workspace, Microsoft 365, etc.) will generate the public key for you.
About DMARC/SPF/DKIM Generator
The DMARC, SPF & DKIM Record Generator creates ready-to-publish DNS TXT records for all three major email authentication standards. In the DMARC section, you enter your domain, select a policy (none for monitoring, quarantine to send suspect mail to spam, or reject to block it), optionally provide aggregate report (rua) and forensic report (ruf) email addresses, and configure DKIM and SPF alignment strictness (relaxed or strict). The tool composes the complete DMARC record string in real time — for example: v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s — which you can copy with one click.
The SPF section lets you build your SPF record by toggling known provider include directives with a single click. The tool ships with quick-toggle buttons for the four most common email senders: Google Workspace (_spf.google.com), Microsoft 365 (spf.protection.outlook.com), Amazon SES (amazonses.com), and Zendesk (mail.zendesk.com). You can also enter a custom IPv4 CIDR range to whitelist your own mail server. The generated SPF record always ends with ~all (SoftFail) — a safe default that marks unauthorized senders as suspect without hard-rejecting them during a transition period.
The DKIM section provides a clear explanation of DomainKeys Identified Mail: it shows the exact DNS TXT record format (selector._domainkey.yourdomain TXT "v=DKIM1; k=rsa; p=PUBLIC_KEY") and notes that your email provider (Google Workspace, Microsoft 365, etc.) generates the public key for you. All three records together form a complete email authentication stack that significantly reduces phishing, spoofing, and spam sent in the name of your domain.
Key Features
- Live DMARC record builder: domain, policy (none/quarantine/reject), rua/ruf addresses, DKIM and SPF alignment
- One-click toggle buttons for Google Workspace, Microsoft 365, Amazon SES, and Zendesk SPF includes
- Custom IPv4 CIDR field for adding your own mail server IP range to the SPF record
- SPF record always uses ~all (SoftFail) as a safe transition default
- DKIM format reference showing the correct selector._domainkey DNS record syntax
- Both DMARC and SPF outputs display the exact DNS record name (e.g., _dmarc.example.com)
- One-click copy for both DMARC and SPF records with separate "Copied!" feedback per record
- 100% client-side generation — domain names and email addresses never leave your browser
Frequently Asked Questions
What is DMARC and why do I need it?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication policy that tells receiving mail servers what to do with messages that fail SPF or DKIM checks. Without DMARC, anyone can send email that appears to come from your domain. Setting p=reject blocks these spoofed messages, protecting your brand reputation and users from phishing attacks.
What is the difference between p=none, p=quarantine, and p=reject?
p=none is a monitoring-only policy — failing messages are delivered normally, but reports are sent to your rua address so you can audit traffic. p=quarantine moves failing messages to the spam/junk folder. p=reject instructs receiving servers to completely block and discard messages that fail authentication. Best practice is to start with none, analyze reports for a few weeks, then gradually move to quarantine and finally reject.
What is an rua address in DMARC?
The rua (Reporting URI for Aggregate) tag tells receiving mail servers where to send daily aggregate XML reports summarizing authentication pass/fail counts for your domain. These reports help you identify legitimate mail sources you may have missed in your SPF record and catch spoofing attempts. The address must be able to receive email, and if it is on a different domain, that domain needs a DMARC reporting authorization record.
What is the difference between relaxed and strict DKIM/SPF alignment?
Alignment refers to how closely the domain in the From header must match the domain authenticated by DKIM or SPF. Relaxed (adkim=r / aspf=r) allows subdomains — so mail.example.com passes for example.com. Strict (adkim=s / aspf=s) requires an exact domain match. Start with relaxed to avoid breaking legitimate mail flows, then tighten to strict once you have full visibility into your mail sources.
What is SPF and how does it work?
SPF (Sender Policy Framework) is a DNS TXT record that lists the mail servers authorized to send email for your domain. When a receiving server gets a message claiming to be from you, it checks whether the sending IP is listed in your SPF record. The ~all at the end means unlisted senders are treated as SoftFail (suspect), while -all would mean HardFail (reject).
What does include:_spf.google.com mean in an SPF record?
The include: mechanism delegates authorization to another domain's SPF record. include:_spf.google.com tells receiving servers to also check Google's own SPF record, which covers all of Google Workspace's sending IP ranges. If you send email through Google Workspace, you must include this. Similarly, include:spf.protection.outlook.com covers Microsoft 365.
What is DKIM and why is it separate from DMARC/SPF?
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email. The signature is generated by your mail provider using a private key, and the corresponding public key is published in your DNS as a TXT record at selector._domainkey.yourdomain. Recipients verify the signature against the DNS public key. Because the signature travels with the message, DKIM survives mail forwarding where SPF often fails.
Do I need all three records (DMARC, SPF, DKIM)?
Yes, for robust email authentication you need all three. SPF verifies the sending server. DKIM verifies the message has not been tampered with. DMARC uses the results of both SPF and DKIM to enforce your chosen policy and collect reports. Major email providers like Google and Microsoft now require a valid DMARC record to ensure inbox delivery for bulk senders.