// Free tool

SPF & DMARC record generator

Pick the services that send email for your domain and choose a policy, and get copy-paste SPF, DMARC and MTA-STS DNS records to stop spoofing and fix what the Email Security Checker flags. Everything is built in your browser, nothing is stored.

1. SPF record

SPF lists who is allowed to send email for your domain. Tick your senders and we build the record.

Who sends email for your domain?
Policy for senders not listed above
TXT record at your root domain

2. DMARC record

DMARC tells receivers what to do with mail that fails SPF or DKIM, and emails you reports. Start at p=none to monitor, then ramp up to quarantine and reject.

Policy
TXT record at _dmarc.yourdomain.com

3. MTA-STS and TLS reporting (advanced)

MTA-STS tells other servers to require encryption when sending you email. It needs the DNS record below plus a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. TLS-RPT emails you reports of delivery problems.

TXT record at _mta-sts.yourdomain.com
Policy file (host at /.well-known/mta-sts.txt, set your real MX)
TLS-RPT TXT record at _smtp._tls.yourdomain.com
How to use this. These records are built in your browser from your inputs; nothing is sent or stored. Add them at your DNS provider, then re-check with the Email Security Checker. Roll DMARC out gradually (p=none, then quarantine, then reject) and watch the reports before you enforce. This is a starting point, not a guarantee; complex setups with many senders or subdomains may need tuning.
// What this means for your business

Stop attackers from sending email as you

SPF, DKIM and DMARC are how you stop criminals spoofing your domain to phish your customers and staff, and how you keep your own mail out of the spam folder. We set these up correctly for Canadian businesses, move DMARC to enforcement safely, and watch the reports so nothing legitimate breaks.

Managed Services Talk to us