We have added two new free tools to the mycompany.tech/tools page: an SPF & DMARC Record Generator and a Password Breach Checker. Both run entirely in your browser, require no account, and are available now.
SPF & DMARC Record Generator
The Email Security Checker we launched in June tells you what email authentication records you have — or are missing. The new SPF & DMARC Generator tells you what to add.
It has two tabs: one for SPF records and one for DMARC policies.
On the SPF tab, you check the boxes for the services that send email on behalf of your domain — Google Workspace, Microsoft 365, Mailchimp, SendGrid, HubSpot, Zoho, or any custom hostname or IP address. The tool builds the correct include: and ip4: mechanisms as you make selections, and you pick the enforcement policy: softfail (~all), hardfail (-all), or neutral (?all). The ready-to-copy TXT record updates in real time as you configure.
On the DMARC tab, you set the policy (none, quarantine, or reject), an optional subdomain policy, the percentage of failing messages to apply it to, and the address where you want aggregate reports sent. The tool generates the correct record syntax, including the rua=mailto: format that trips up many manual configurations.
Both records include a copy button and a note on exactly where to add the TXT entry in your DNS provider (@ for SPF, _dmarc for DMARC).
When to use it:
- You ran the Email Security Checker and found that SPF or DMARC is missing or misconfigured
- You are onboarding a new domain and want to set authentication records before the domain goes live
- You are migrating to a new email provider and need to update which sending services are authorized
- You want to tighten a
p=noneDMARC policy toquarantineorrejectand need the correct syntax
If you are new to email authentication, the info section on that page walks through the difference between SPF and DMARC, why ~all versus -all matters, and the standard three-phase rollout strategy for tightening DMARC without breaking legitimate email.
Password Breach Checker
The Password Breach Checker checks whether a password has appeared in a known data breach. It queries the HaveIBeenPwned database — which aggregates over a billion leaked credentials from thousands of data breaches — and returns either a clean result or a count of how many times the password has been seen.
The privacy question is the obvious concern, so it is worth explaining exactly how this works.
Your password is never sent to any server. The tool hashes the password with SHA-1 in your browser using the Web Cryptography API, takes the first five characters of that hash, and sends only those five characters to the HaveIBeenPwned range endpoint. The API returns all hashes that start with those five characters — tens to hundreds of partial matches — and the check for whether your specific password is in the list happens locally in your browser. This technique is called k-anonymity, and it means the server never has enough information to reconstruct or identify the password being checked.
The tool also shows a real-time strength meter as you type. It tracks five criteria — length over twelve characters, uppercase, lowercase, numbers, and symbols — and gives an overall rating from Weak to Strong. This is based on NIST 800-63B guidance, which emphasizes length over complexity.
When to use it:
- You want to verify that a password you are about to reuse is not already circulating in breach data
- You are auditing shared credentials used by your team and want to flag any that have been exposed
- You are setting a new master password for a password manager and want to confirm it is clean
- You are explaining to employees why password reuse is risky and want a concrete demonstration
A result showing zero breaches does not mean a password is strong or unique — it means it has not appeared in breach data that HIBP has indexed. The strength meter gives you a second signal on that front.
Where to find both tools
Both tools are available at mycompany.tech/tools, alongside the existing DNS Checker, SSL Certificate Checker, Email Security Checker, and HTTP Headers Inspector.
All six tools are free, require no account, and run in the browser. If you use one and find a problem you are not sure how to address, get in touch.