Email Authentication Record Builder

Build copy-ready SPF and DMARC TXT records with safe defaults, provider presets, DNS lookup guardrails, and chunking guidance for long TXT values. This tool stays client-side and does not generate DKIM keys or publish DNS changes.

Inputs

Pick the sending services that are allowed to use your domain, add any direct IP ranges, then tune DMARC reporting and alignment. Conservative DMARC defaults stay on.

Domain Used for the DMARC host name helper only. The SPF host stays at your root/@ record.

SPF Builder

Provider presets

Select every mail platform that is truly authorized to send mail for this domain.

Mechanisms

Include a Include mx

Each a, mx, include, and redirect consumes SPF DNS lookups.

Custom include domains Enter one domain per line or comma. Use plain domains or include:domain; duplicates are removed automatically.

Authorized IPv4 CIDRs

Authorized IPv6 CIDRs

Redirect target Optional. Counts as one more DNS lookup.

Final all mechanism

DMARC Builder

Policy (p)

Subdomain policy (sp)

DKIM alignment (adkim)

SPF alignment (aspf)

Sampling percentage (pct)

Failure options (fo)

Aggregate report URIs (rua) Tip: aggregate reports usually go to a dedicated mailbox such as mailto:dmarc@example.com

Failure report URIs (ruf)

Aggregate report interval (ri) Optional. Most receivers ignore custom values, but you can still publish them.

Output

Copy these DNS values into your DNS provider. If you cross the SPF lookup budget or publish invalid DMARC tags, the builder flags it inline before you copy.

SPF TXT record

Authorizes which hosts and vendors may send mail for your root domain.

0 / 10 DNS lookups

Host: @
Type: TXT

SPF TXT chunks are only needed when your provider cannot accept long single-string TXT values.

Single-string TXT record is sufficient.

Warnings

Errors

DMARC TXT record

Publishes the policy receivers should apply and where they should send DMARC reports.

Host: _dmarc
Type: TXT

Publish this at the _dmarc host for your domain. Reports are optional but strongly recommended.

Single-string TXT record is sufficient.

Warnings

Errors

Guardrails included here: SPF 10-lookup warning, 255-character TXT warning, duplicate include cleanup, conservative DMARC p=none default, and mailto: validation hints for rua/ruf. DKIM is intentionally out of scope.