SPF & DMARC Record Generator

Build correct SPF and DMARC TXT records without memorising the syntax. Select your email senders, set your policy and reporting address, then copy the ready-to-publish records directly into your DNS provider. Everything runs in your browser — nothing leaves your device.


SPF Sender Policy Framework

The SPF record tells receiving mail servers which hosts and services are permitted to send email for your domain. Publish it as a TXT record at your apex domain (e.g. @ or example.com).

Common email senders
Domain mechanisms
Policy strength (all qualifier)
TXT record — publish at your apex domain
v=spf1 -all

DMARC Domain-based Message Authentication

The DMARC record tells receiving servers what to do when a message fails SPF or DKIM, and where to send reports. Publish it as a TXT record at _dmarc (the host updates as you type your domain above).

Policy (p=)

100% applies the policy to all matching messages. Use lower values only for gradual rollouts.

Receiving mail servers will send daily aggregate XML reports to this address. Separate multiple addresses with commas.

Per-message failure reports (may contain email content). Many providers send these only for p=quarantine or p=reject.

SPF alignment (aspf=)
DKIM alignment (adkim=)
Publish as TXT record at host_dmarc
v=DMARC1; p=none; fo=1

Use — Guide

How to use this tool

  1. Optionally enter your domain name at the top — this updates the DMARC host label to show the exact DNS record name to publish.
  2. In the SPF section, tick the email services you send from (Microsoft 365, Google Workspace and so on) and add any custom IP addresses or include: domains.
  3. Choose your SPF policy strength — use Softfail (~all) while auditing your senders, then switch to Fail (-all) once all senders are confirmed.
  4. In the DMARC section, set the policy to "none" initially to collect reports, add your reporting email address, and adjust any advanced options you need.
  5. Copy each generated record using the copy buttons — the SPF record goes at your apex domain, the DMARC record at the _dmarc host shown.
  6. Paste the records as TXT entries in your DNS provider, allow up to an hour for propagation, then verify they are live using our DNS Lookup tool.

FAQ — Questions

Frequently asked questions

01What is the difference between SPF and DMARC?

SPF (Sender Policy Framework) is a DNS TXT record that lists the mail servers and services authorised to send email on behalf of your domain. It tells receiving mail servers "these IP addresses are allowed to send from us." DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on top of SPF (and DKIM). Where SPF says who can send, DMARC tells receiving servers what to do when a message fails the check — monitor it (p=none), move it to junk (p=quarantine), or reject it outright (p=reject) — and where to send reports. Both records work together: SPF authorises your senders, DMARC enforces the policy and gives you visibility.

02Should I use -all (fail) or ~all (softfail) in my SPF record?

Start with ~all (softfail) while you are setting up or auditing your mail flows. With softfail, messages that fail SPF are still delivered but marked as suspicious — this avoids accidentally blocking legitimate mail if you missed an authorised sender. Once you are confident all legitimate senders are in your record and your DMARC policy is at least p=quarantine, switch to -all (fail/strict) for the strongest protection. Avoid ?all (neutral) in production — it provides no protection at all.

03What DMARC policy should I start with?

Always start with p=none (monitoring). This collects aggregate reports without affecting mail delivery, so you can see what is passing and failing before taking action. After reviewing a few weeks of reports and confirming your legitimate mail is passing SPF and DKIM alignment, step up to p=quarantine (moves failing messages to spam). Once you are comfortable that quarantine is not affecting real mail, move to p=reject — the strongest protection, which tells receiving servers to discard unauthenticated messages entirely. The rua= (aggregate report) address is essential at every stage to get visibility.

04Where do I publish these records in my DNS?

Both records are DNS TXT records. Your SPF record is published at your apex domain — for example.com the host is @ or example.com (exactly your sending domain). Your DMARC record is always published at _dmarc.<yourdomain> — for example.com that is _dmarc.example.com. Log in to your DNS provider (your domain registrar, Cloudflare, Route 53, etc.), create a new TXT record, paste in the host name and record value from this generator, and save. Allow up to an hour for DNS propagation, then use our DNS Lookup tool or an online DMARC checker to verify the records are live.

Need email security expertise?

From SPF and DMARC to DKIM and MTA-STS — Peritus Digital hardens your email.

Misconfigured or missing email-security records are one of the most common entry points for phishing attacks impersonating your business. Our Newcastle team audits and configures SPF, DKIM, DMARC and MTA-STS for Hunter Region businesses — getting you from p=none to p=reject safely, with ongoing monitoring.