TOOLERY
Free Online Tools
Admin login
All tools

SPF/DKIM/DMARC Generator

Generate secure, syntactically correct DNS records to authorize your mail servers and secure your domain.

SPF/DKIM/DMARC Generator

Generate copy-paste ready DNS records for SPF, DKIM, and DMARC email authentication.

SPF Settings

What is SPF & why it matters

SPF (Sender Policy Framework) is a DNS record listing which servers are allowed to send email for your domain. When a receiver gets a message claiming to be from you, it checks the sending server against this list — anything not authorized can be flagged or rejected. It's your first line of defense against spammers forging your address.

Tick the sources you actually send from — your own servers (mx/a) plus any providers like Google or Resend — then choose how strictly receivers should treat unlisted senders with the all setting below.

Advanced: SPF macros

Macros are placeholders that SPF expands at the moment mail arrives, using facts about the incoming message. They let one fixed record make dynamic, per-message decisions — most often paired with the exists mechanism to look up a per-sender or per-IP name in DNS.

They're written as %{letter}. The common ones:

  • %{s} full sender user@domain · %{l} local part · %{o} sender's domain
  • %{d} the domain being checked (yours)
  • %{i} the sending server's IP · %{h} its HELO/EHLO name · %{p} its PTR name (discouraged)

A trailing r reverses the parts (%{ir} = IP written backwards), and a digit keeps only the right-most N labels (%{d2} = last two labels of the domain).

Example

v=spf1 exists:%{ir}.%{d}._spf.example.com -all

For each connection SPF reverses the sender's IP and checks whether <reversed-ip>.example.com._spf.example.com exists in DNS — if it does, the mail passes. That's how big senders manage massive, constantly-changing allow-lists entirely in DNS instead of cramming IPs into the record.

Rarely needed for a normal domain. Macros are hard to debug, still count toward SPF's 10-DNS-lookup limit, and %{p}/PTR tricks are unreliable. This wizard sticks to the plain mechanisms above — but now you'll recognize macros when you meet them in someone else's record.

Just for your reference — an SPF record's content is the same regardless of domain, and it's always published at the root (host @).

Generated Record

TXT

DNS TXT Host/Name

@

TXT Value

v=spf1 mx a ~all

DNS Deployment Steps:

  1. Log in to your domain registrar (e.g. Cloudflare, Namecheap, GoDaddy).
  2. Navigate to your domain's **DNS Management** page.
  3. Add a new record of type TXT.
  4. Paste the **Host/Name** and **TXT Value** exactly as shown above.
  5. Set the TTL to **Auto** (or **3600** seconds) and save.
About this tool

This wizard helps you construct SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) records. Answering a few simple questions generates the exact TXT records you need to add to your domain's DNS zone.

Using correct email authentication records is critical: it authorizes valid mail servers (like Google Workspace, Microsoft 365, or transactional services like Resend) to send mail on your behalf, reducing the risk of your emails landing in spam or being spoofed by bad actors.