HomeServicesEstimateBlogToolsAboutContactClients

Milton Keynes, UK

01908 410917

hello@itboffins.com

Back to Free Tools
Email Authentication Records

SPF & DMARC
Generator_

Build correct SPF, DKIM and DMARC DNS records for your domain in seconds — so Gmail and Microsoft trust your email and it stops landing in spam. Free, and nothing leaves your browser.

We use this only to label the records correctly — it is never sent anywhere.

1. SPF record

Tick every service that sends email for your domain.

Policy for unlisted senders
DNS Record
TypeTXT
Host@
Valuev=spf1 ~all

No senders selected yet — this record authorises nobody. Tick the services you actually send from.

A domain may have only one SPF record. If you already have a v=spf1 record, merge these includes into it rather than adding a second.

2. DMARC record

Choose how strict to be, and where to receive reports.

DNS Record
TypeTXT
Host_dmarc.yourdomain.com
Valuev=DMARC1; p=none; pct=100; adkim=r; aspf=r

3. DKIM setup

DKIM keys are generated by your email provider (we can't mint them for you) — pick yours for the exact steps and record.

In the Microsoft Defender portal → Email & collaboration → Policies & rules → Threat policies → DKIM, select your domain and switch DKIM on. Microsoft then shows you two CNAME records to add:

DNS Record
TypeCNAME
Hostselector1._domainkey.yourdomain.com
Valueselector1-..._domainkey.<your-tenant>.onmicrosoft.com
DNS Record
TypeCNAME
Hostselector2._domainkey.yourdomain.com
Valueselector2-..._domainkey.<your-tenant>.onmicrosoft.com

The exact values (with your tenant name) are shown in the portal — add them, then toggle DKIM to Enabled.

Rather we just set it up?

Email authentication is fiddly and one wrong record can stop your mail dead. We'll configure SPF, DKIM and DMARC properly, monitor the reports, and get your email reliably into the inbox.

SPF, DKIM & DMARC, in plain English

These three records are how the big mailbox providers decide whether to trust your email. Get them right and you stop spammers impersonating your domain — and stop your own messages going to spam.

SPF

A list of the mail servers allowed to send for your domain. If a message comes from somewhere not on the list, SPF flags it. One TXT record at your domain root.

DKIM

A cryptographic signature added to every email, proving it wasn't tampered with in transit and really came from your domain. Generated and managed by your email provider.

DMARC

The policy that ties SPF and DKIM together — it tells receivers what to do with mail that fails, and emails you reports so you can see who is sending as you.

Email records FAQ

What are SPF, DKIM and DMARC?

They are three DNS records that prove your email is genuinely from you. SPF lists which servers are allowed to send for your domain, DKIM adds a tamper-proof signature to each message, and DMARC tells receiving servers what to do when a message fails those checks — and emails you reports. Together they stop spammers spoofing your domain and keep your real email out of the spam folder.

Do I need all three?

Yes, for the best deliverability. Gmail and Microsoft now expect SPF, DKIM and DMARC — bulk senders are required to have them. SPF and DKIM authenticate your mail; DMARC ties them together and protects your domain from being impersonated.

How do I add these records to my domain?

Log in to wherever your domain DNS is managed (your registrar or host — e.g. GoDaddy, Cloudflare, 123 Reg, IONOS), open the DNS / records section, and add each record with the Type, Host/Name and Value shown above. Changes can take a few minutes to a few hours to take effect.

Can I have more than one SPF record?

No — a domain must have exactly one SPF (TXT) record. If you already have one, do not add a second; merge the new includes into your existing record. Two SPF records will cause both to be ignored and can break your email. If in doubt, run our Email Health Check first.

What DMARC policy should I start with?

Start with p=none (monitor). It changes nothing about delivery but sends you reports so you can see every service sending as your domain. Once those reports are clean and SPF/DKIM pass, move to quarantine, then reject for full protection.

Why is my email going to spam?

The most common cause for small businesses is missing or broken SPF, DKIM or DMARC records — the receiving server can not confirm the mail is really from you, so it is treated as suspicious. Generating correct records here, and checking them with our Email Health Check, fixes the majority of deliverability problems.

See all free tools