Record Generator for SPF, DKIM and DMARC

Use this automatic wizard to generate the DNS records necessary for your server to send properly authenticated email, using best practices.

If your website wants to send email to customers, you will need to setup SPF, DKIM and DMARC records in order to properly authenticate those emails and ensure that they end up in your customer's inbox instead of their spam folder. To learn more about these records, please read our article on Best Practices for Sending Email. To generate your DNS records, please answer the questions below.

SPF: IN TXT "v=spf1 ~all" DKIM: IN CNAME Be sure to replace any bracketed values above with those from your email provider or software. Read below for tips on manually generating keys. DMARC: IN TXT "v=DMARC1; p=quarantine;"
Enter any additional IP addresses that send email. Separate multiple entries with spaces. You may use CIDR notation to indicate a block of addresses.
Enter any additional IP addresses that send email. Separate multiple entries with spaces. You may use CIDR notation to indicate a block of addresses.
Enter the hostname for any other servers that directly send email. Separate multiple entries with spaces.
External Email Services

Enter the hostname for any other 3rd party service that sends email on your behalf. Separate multiple entries with spaces. Ask your service provider what to put here.
This email address will receive daily XML reports from email providers showing delivery statistics for this domain.
Fail will cause emails that don't pass the checks to get rejected. Soft Fail will cause those emails to get marked as spam. Neutral will allow non-compliant emails to be delivered.
View Record

DKIM Public and Private Key Generation

If you are directly sending email using your own servers or software, then you may need to generate and mange your own public and private keys.

Private Key

The private key should be a 1024-bit RSA key. Keep the private key securely stored on your server. Your email sending software will need the private key to sign emails that you send. The following unix command will create a private key and an example key is shown below.

openssl genrsa -f4 -out private.key 1024 -----BEGIN RSA PRIVATE KEY-----
Public Key

The following unix command will create the public key from the private key generated above. An example is shown below.

openssl rsa -in private.key -outform PEM -pubout -out public.key -----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----

Remove the header and footer from the public key and remove any spaces or newlines so you have a single string of characters. Place this public key into your DKIM DNS record. For example: IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSQNiZ63BsGaW7/GzFJJJyeNteudMIDyViqGrfdenVJCMLkWTyt+IJirzIKdLtAzs2sq75ZtzWCBhxDTmXlMuuuTmBNu4+Wwk2uTXY24YuydxOLxAz5keSbxTEwiRT1mbAptjZiLxHCJ9gSyL/DtmTiEYaFIoqcvXUqzn0DHsgzwIDAQAB"

Once you have made changes to your SPF, DKIM, and DMARC records, type your domain name into the box below and run a free ValidBot Test to check if everything is correct. Look in the "Email" section of the report to see if you made all the changes correctly.

If you have implemented all of this then you should be able to send email from your domain name and have it pass all the authentication steps that email providers will look for.