SPF, DKIM, and DMARC records are notoriously easy to break with a single typo. Generator tools eliminate syntax errors and guide you through the logic—which IPs to authorize, which policy to enforce, and how to stage the rollout. This guide walks through each generator, covers provider-specific DKIM setup, and provides a proven deployment order.
Why Manual Creation Is Error-Prone
Email authentication records have strict syntax rules and subtle interactions. Common manual errors include:
- Mistyped SPF mechanisms (
inclue:instead ofinclude:) that silently disable authorization. - Exceeding the 10 DNS lookup limit in SPF without realizing nested includes count.
- Using
+allinstead of~allor-all—authorizing the entire internet to send as your domain. - Publishing a DMARC record with
p=rejectbefore verifying all legitimate senders pass SPF/DKIM. - Forgetting the
v=version tag or placing it anywhere other than the start of the record.
📖 Definition — An email authentication record generator is a tool that produces syntactically correct DNS TXT records for SPF, DKIM, or DMARC based on your inputs—authorized senders, policy preferences, and reporting addresses.
SPF Generator Walkthrough
An SPF generator builds a valid v=spf1 ... all record by asking you to select your authorized senders:
1. Enter your domain — The generator queries existing SPF records to show your current configuration.
2. Add authorized sources — Select your email providers (Google Workspace, Microsoft 365, SendGrid, etc.). The tool adds the correct include: mechanisms.
3. Add custom IPs — If you run your own mail server, add its IP with the ip4: or ip6: mechanism.
4. Choose the default policy — ~all (softfail) during testing, -all (hardfail) for production enforcement.
5. Validate — The tool checks for duplicate includes, counts DNS lookups, and flags if you exceed the 10-lookup limit.
; Example generated SPF record
example.com. 3600 IN TXT "v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 ~all"⚠️ Each include:, a, mx, and redirect mechanism triggers a DNS lookup. Nested includes count too. Exceeding 10 total lookups causes a PermError—all SPF checks fail.
DKIM Setup by Provider
DKIM requires generating a key pair and publishing the public key as a DNS TXT record. Each provider handles key generation differently:
| Provider | Selector | Key Generation | DNS Record |
|---|---|---|---|
| Google Workspace | google | Admin Console → Apps → Gmail → Authenticate email → Generate new record | Publish at google._domainkey.example.com |
| Microsoft 365 | selector1, selector2 | Defender portal → Email authentication → DKIM → Enable | CNAME to selector1-example-com._domainkey.example.onmicrosoft.com |
| SendGrid | s1, s2 | Settings → Sender Authentication → Authenticate domain | CNAME records provided by SendGrid |
| Mailchimp | k1 | Website → Domains → Authenticate → DKIM setup | CNAME to Mailchimp-provided host |
| Custom (OpenDKIM) | Your choice | opendkim-genkey -s selector -d example.com | Publish selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=..." |
💡 Use 2048-bit RSA keys minimum. Some providers default to 1024-bit—upgrade if given the option. The longer key may require splitting across multiple 255-byte DNS strings, which providers handle automatically.
DMARC Generator Walkthrough
A DMARC generator produces a valid v=DMARC1; ... record for the _dmarc.example.com subdomain:
1. Select policy (p=) — Start with none (monitoring only), then escalate to quarantine, and finally reject.
2. Set subdomain policy (sp=) — Optionally set a different policy for subdomains. Defaults to the main policy if omitted.
3. Add aggregate report address (rua=) — Specify where aggregate XML reports are sent: mailto:dmarc-reports@example.com.
4. Add forensic report address (ruf=) — Optional. Many receivers won't send these due to privacy.
5. Set alignment (adkim= / aspf=) — r (relaxed) allows subdomain alignment; s (strict) requires exact domain match.
6. Set percentage (pct=) — Apply the policy to a percentage of failing messages. Use pct=10 during rollout, then increase to 100.
; Example generated DMARC record (monitoring phase)
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=r; aspf=r; pct=100"
; Example generated DMARC record (enforcement phase)
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s; pct=100"Recommended Deployment Order
Deploy email authentication records in this order to avoid breaking legitimate mail:
Phase 1: SPF — Publish an SPF record with all known senders and ~all (softfail). Monitor for 2 weeks.
Phase 2: DKIM — Enable DKIM signing on every sending service. Verify signatures with a DKIM checker. Allow 1–2 weeks for propagation confirmation.
Phase 3: DMARC p=none — Publish DMARC with p=none and rua= to collect reports. Analyze reports for 4–6 weeks.
Phase 4: DMARC p=quarantine — After fixing all legitimate failures, move to quarantine at pct=25, gradually increasing.
Phase 5: DMARC p=reject — Once quarantine shows no legitimate failures, enforce reject at pct=100.
🚫 Never skip straight to p=reject without a monitoring phase. Legitimate mail from forgotten third-party senders will be silently dropped.
Post-Deployment Monitoring
After deploying all three records:
- Process DMARC aggregate reports weekly to catch new senders or misconfigurations.
- Run SPF, DKIM, and DMARC checks after any DNS change or sender onboarding.
- Monitor email deliverability metrics in your email platform's dashboard.
- Set alerts for SPF lookup count approaching 10 (e.g., when adding new SaaS vendors).
- Rotate DKIM keys annually with a two-key overlap period to avoid downtime.
When to Use Generators vs Manual
| Scenario | Approach | Why |
|---|---|---|
| Initial setup or new domain | Generator | Eliminates syntax errors and guides through options |
| Adding a new email provider | Generator | Validates that the new include doesn't exceed the lookup limit |
| Minor SPF tweak (one IP change) | Manual | Simple substitution; generator overhead unnecessary |
| Complex multi-domain enterprise setup | Manual + Validation | Generators may not handle subdomain delegation or advanced SPF macros |
| Troubleshooting a failing record | Generator + Checker | Regenerate the record and compare against the current one to find the diff |
Best Practices
- Always generate records, then validate with a checker before publishing to DNS.
- Follow the SPF → DKIM → DMARC deployment order.
- Use a staging/monitoring period at each phase before escalating DMARC policy.
- Keep a changelog of all email authentication DNS changes.
- Test with real email sends after every DNS update—don't rely solely on DNS checks.
Common Mistakes
| Mistake | Impact | Fix |
|---|---|---|
| Publishing multiple SPF records | SPF PermError; all checks fail | Merge into a single TXT record with multiple include: |
Deploying DMARC p=reject first | Legitimate email from third-party senders is dropped | Start at p=none and escalate gradually |
| Forgetting to enable DKIM signing | DKIM always fails; DMARC alignment breaks | Enable signing in every email platform and verify with a checker |
| Not counting nested SPF lookups | Exceeding 10 lookups; SPF PermError | Use a generator that counts lookups recursively |
| Publishing DKIM key as a separate TXT record instead of at the selector subdomain | DKIM verification fails—key not found | Publish at selector._domainkey.example.com, not example.com |
Tools
SPF Generator — Build a valid SPF record with lookup counting and duplicate detection.
DMARC Generator — Create a DMARC record with policy, reporting, and alignment options.
DKIM Checker — Verify a published DKIM key and test signature validation.
SPF Checker — Validate your SPF record syntax and count DNS lookups.
DMARC Checker — Verify your DMARC record syntax and policy configuration.
References
- 📄 RFC 7208 — Sender Policy Framework (SPF)
- 📄 RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
- 📄 RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- 📄 Google Workspace — Set up SPF to prevent spoofing
- 📄 Microsoft 365 — Configure DKIM signing
🚀 Free ToolZilla tools used in this article
All client-side, no signup, no upload — open them in a new tab while you read:
- 🔧 SPF Generator — try it free in your browser.
- 🔧 DMARC Generator — try it free in your browser.
- 🔧 DKIM Checker — try it free in your browser.
- 🔧 SPF Checker — try it free in your browser.
- 🔧 DMARC Checker — try it free in your browser.
- 🧰 Browse all 60+ free tools →
🎯 Use generators to eliminate syntax errors, but always validate the output with checkers before publishing. Deploy in order—SPF, then DKIM, then DMARC—and never skip the monitoring phase. A rushed p=reject deployment is the fastest way to break your legitimate email.