Free SPF/DKIM/DMARC Generator

Instantly generate SPF, DKIM and DMARC to improve your email deliverability. Ideal for cold outbound campaigns.
100% free. No sign up required.

SPF

What does it do? Imagine SPF as a list of services that are allowed to send email for your domain.

Type:
TXT
Host:
@
Value:
v=spf1 include:_spf.google.com ~all

How to set it up?

  1. In your DNS, add a TXT record with host name "@" (root).
  2. Paste the value above.
  3. Save and wait a bit for DNS to update.

DKIM

What does it do? Imagine DKIM as a secret stamp on each email that proves it's really from you and wasn't changed.

Type:
TXT
Host:
google._domainkey
Value:
v=DKIM1; k=rsa; p=paste_key_here

How to set it up?

  1. In Google Admin → Gmail → Authenticate email (DKIM), generate a 2048-bit key and copy the public key.
  2. In DNS, add a TXT at host google._domainkey with the value shown above.
  3. Back in Google Admin, click Start authentication.

DMARC

What does it do? Imagine DMARC as a rulebook that says what to do if an email looks fake (watch it, send to spam, or block) and who to tell.

Type:
TXT
Host:
_dmarc
Value:
v=DMARC1; p=none; adkim=r; aspf=r; fo=1

How to set it up?

  1. Make sure SPF and DKIM are published and passing for your domain.
  2. In DNS, add a TXT at host _dmarc with this value: v=DMARC1; p=none; adkim=r; aspf=r; fo=1.
  3. Start with p=none to watch reports, then move to quarantine or reject when things look good.

FAQ

Frequently Asked Questions

Do I need multiple SPF, DKIM and DMARC records for multiple emails?

No. The number of mailboxes (alice@, bob@) doesn’t matter — it’s about the domain or subdomain that sends.

  • SPF: One TXT record per hostname (e.g., @ for example.com). If multiple services send from the same host, merge them into a single SPF record.
  • DKIM: You can have multiple records, one per selector (e.g., google._domainkey, sg._domainkey).
  • DMARC: One TXT record per hostname (e.g., _dmarc.example.com). Subdomains can have their own if needed.
Where do I put the Host/Name in DNS?

Most DNS dashboards auto-append your domain. Enter only the label:

  • SPF: Host/Name = @ (root)
  • DMARC: Host/Name = _dmarc (becomes _dmarc.yourdomain.com)
  • DKIM (Google selector “google”): Host/Name = google._domainkey (becomes google._domainkey.yourdomain.com)

Avoid: Typing the full domain if your UI already appends it (you’d get .com.com by accident).

What exactly do I paste for the DKIM value?

Paste the full string that starts with v=DKIM1; k=rsa; p= followed by the long base64 key — no angle brackets and no PEM headers.

  1. Generate 2048-bit DKIM in Google Admin → Gmail → Authenticate email (DKIM).
  2. Copy the public key (base64 only), paste after p=.
  3. Host/Name is your selector (e.g., google._domainkey), Type = TXT.
Will this work for Google Workspace?

Yes. The tool defaults to Google-friendly values.

  1. SPF: Add TXT at @ with v=spf1 include:_spf.google.com ~all (switch to -all later).
  2. DKIM: Generate key in Google Admin, publish TXT at google._domainkey, then click “Start authentication”.
  3. DMARC: Add TXT at _dmarc with the provided value, start with p=none.
We use Google + another sender (SendGrid/Mailgun/etc.). What changes?
  • SPF: Merge into one record (e.g., include:_spf.google.com include:sendgrid.net). Keep total DNS lookups ≤ 10.
  • DKIM: Publish a TXT per service, each with its own selector (e.g., sg._domainkey).
  • DMARC: Still one record at _dmarc (or separate per subdomain if you want different policies).
How long do DNS changes take?

Often minutes to a few hours, but can take up to 24–48 hours depending on TTL and caching. It’s normal for different checkers to show updates at different times.

What does the SPF “Advanced options” toggle do?

It lets you add extra senders and IPs and choose the final qualifier.

  • Additional includes/IPs: Authorize other services or your own mail server.
  • ~all vs -all: Start with ~all (soft fail) while testing, move to -all (hard fail) when confident.
  • Lookup meter: Warns if you approach the SPF 10-DNS-lookup limit.
Do I need different records for a subdomain like news.example.com?

Only if that subdomain actually sends mail.

  • SPF: Add a TXT at news with its own SPF if the envelope sender/Return-Path uses news.example.com.
  • DKIM: Publish the selector under that subdomain (e.g., google._domainkey.news).
  • DMARC: Either add _dmarc.news or set a subdomain policy with sp= on the parent.
Explain like I'm 6: What are SPF, DKIM, and DMARC?

SPF: a list of helpers allowed to send your emails.

DKIM: a secret stamp that proves the email is really from you.

DMARC: a simple rulebook that says what to do if an email looks fake.

How do I check if it’s working?
  1. Send a test email to a Gmail/Outlook inbox.
  2. Open “Show original” / message source and look for Authentication-Results showing SPF=pass, DKIM=pass, DMARC=pass (after DMARC is live).
  3. Review DMARC aggregate reports (rua mailbox) and tighten policy when passes look good.
Can I have more than one DKIM record?

Yes. Use a different selector for each service or key rotation (e.g., google._domainkey, sg._domainkey). Each selector gets its own TXT record.

What if I already have an SPF record?

Edit and merge into a single SPF record for that host. Having two separate v=spf1 TXT records on the same name can cause a PermError.

I have another question
Sure thing! Please contact me by email: florian[at]florianwueest.com

Do you run a B2B SaaS and need more in-depth guidance for your outbound campaign?

While the above SPF, DKIM and DMARC generator is a great one-size fits all tool, it may not fit your specific use case.

So if you'd like some more guidance, or need a unique setup for your cold email campaigns, please schedule a free consultation in the link below.

Get More Qualified Leads In The Next 30 Days