SPF & DMARC Record Generator | Email DNS Record Builder

Which services send email for your domain?

Check all that apply. Each adds an include: mechanism to your record.

Google Workspace (Gmail)


include:_spf.google.com

Microsoft 365 (Outlook)


include:spf.protection.outlook.com

Mailchimp


include:servers.mcsv.net

SendGrid


include:sendgrid.net

HubSpot


include:_spf.hubspot.com

Zoho Mail


include:zoho.com

Custom include optional

Added as include:domain

Custom IP address optional

Added as ip4:address

Enforcement policy

Softfail (~all)

Recommended starting point. Unauthorized senders are flagged but not rejected.

Hardfail (-all)

Strict. Unauthorized senders are rejected outright.

Neutral (?all)

No policy enforcement. For testing only — provides no protection.

Configure your DMARC policy

Start with p=none to monitor, then tighten once you're confident all legitimate mail passes.

Policy (p=)

none

Monitor only. No action on failing messages. Start here.

quarantine

Failing messages are sent to spam. Good intermediate step.

reject

Failing messages are blocked entirely. Maximum protection.

Aggregate report email (rua=) optional but recommended

Receives daily XML reports of all senders claiming to be your domain.

Percentage (pct=) 100%

Percentage of failing messages the policy applies to. Start at 100%.

Subdomain policy (sp=) optional

Override the policy for subdomains.

Understanding SPF and DMARC

What SPF protects against

SPF (Sender Policy Framework) lists which mail servers are authorized to send on your behalf. Without it, anyone can send email that appears to come from your domain — a tactic used in phishing and business email compromise attacks. Set it as a TXT record at your root domain.

What DMARC adds

DMARC tells receiving servers what to do when SPF or DKIM fails: nothing (none), move to spam (quarantine), or block entirely (reject). It also enables aggregate reports — daily XML digests showing exactly who is sending email using your domain.

Softfail (~all) vs. hardfail (-all)

Softfail marks unauthorized senders as suspicious but still delivers them. Hardfail tells receivers to reject them outright. Start with ~all while confirming all your legitimate senders are included, then move to -all once email is flowing correctly.

DMARC rollout strategy

Start with p=none to monitor without blocking. Review the aggregate reports (rua) for 2–4 weeks to identify all senders. Move to p=quarantine, then p=reject once you're confident no legitimate mail is failing authentication.