Your domain
Build your SPF and DMARC records
Answer two questions and copy the exact DNS records that stop scammers from sending email as your domain. No signup, and nothing you type leaves this page.
Private by design
- The records are assembled entirely in your browser. Your domain and addresses are never sent to us.
Who sends email for your domain?
Sending services like Amazon SES, SendGrid and Mailgun usually authenticate on their own subdomain with records from their setup guide - only tick them here if their guide tells you to add the include yourself.
One or more entries don't look like valid IP addresses and were left out. Enter IP addresses here, not hostnames.
What should happen to email from anywhere else?
Your record
- Type
- TXT
- Host / name
@
No senders selected. This exact record is correct for a domain that never sends email - it tells the world to reject anything claiming to come from it.
Some providers use extra lookups inside their own SPF records, so stay well under the limit of 10.
What should receivers do with email that fails SPF and DKIM?
Big mail providers send a daily summary of who is sending email as your domain. It's how you spot a sender you forgot before tightening the policy.
That doesn't look like an email address, so it was left out of the record.
Advanced options
Your record
- Type
- TXT
- Host / name
_dmarc
The usual path: start at p=none, watch the reports for a few weeks, fix any legitimate sender that fails, then move to quarantine and finally reject.
There's nothing to build for DKIM - the signing key lives with your email provider, and they give you the exact records to publish. It usually takes five minutes:
- Sign in to your email provider's admin area.
- Find the DKIM or "domain authentication" section - often under domain or security settings.
- Add the CNAME or TXT records it shows you at your DNS host.
- Come back and turn signing on once the records are detected.
Some providers - iCloud, Proton Mail and Fastmail among them - set DKIM up automatically when you add your domain. Others, like Mailchimp, authenticate entirely through DKIM records: nothing to add to SPF at all.
DNS changes can take up to an hour to spread. Once they have, test your domain with the SPF/DKIM/DMARC checker.
Frequently asked questions
Where do I put these records?
At the company that manages your domain's DNS - often your registrar (GoDaddy, Namecheap, Google Domains) or your web host. Look for "DNS settings" or "DNS records", add a TXT record, and paste the host and value shown here.
Will publishing SPF and DMARC break my email?
Not if you go gradually. List every service that sends email for you in SPF, start DMARC at p=none (report-only), and watch the reports for a few weeks before tightening to quarantine or reject. Mail keeps flowing the whole time.
Why do small businesses need SPF and DMARC?
Without them, anyone can send email that looks like it comes from your domain - to your customers, suppliers, or staff. These records let receiving servers spot and block the fakes, and Google and Microsoft increasingly filter unauthenticated mail into junk.