Record Generator for SPF, DKIM and DMARC

Use this automatic wizard to generate the DNS records necessary for your server to send properly authenticated email, using best practices.

If your website wants to send email to customers, you will need to setup SPF, DKIM and DMARC records in order to properly authenticate those emails and ensure that they end up in your customer's inbox instead of their spam folder. To learn more about these records, please read our article on Best Practices for Sending Email. To generate your DNS records, please answer the questions below.

SPF: example.com. IN TXT "v=spf1 ~all" DKIM: selector._domainkey.example.com IN CNAME selector.mailservice.com Be sure to replace any bracketed values above with those from your email provider or software. Read below for tips on manually generating keys. DMARC: _dmarc.example.com. IN TXT "v=DMARC1; p=quarantine;"
Enter any additional IP addresses that send email. Separate multiple entries with spaces. You may use CIDR notation to indicate a block of addresses.
Enter any additional IP addresses that send email. Separate multiple entries with spaces. You may use CIDR notation to indicate a block of addresses.
Enter the hostname for any other servers that directly send email. Separate multiple entries with spaces.
External Email Services








Enter the hostname for any other 3rd party service that sends email on your behalf. Separate multiple entries with spaces. Ask your service provider what to put here.
This email address will receive daily XML reports from email providers showing delivery statistics for this domain.
Fail will cause emails that don't pass the checks to get rejected. Soft Fail will cause those emails to get marked as spam. Neutral will allow non-compliant emails to be delivered.
View Record

DKIM Public and Private Key Generation

If you are directly sending email using your own servers or software, then you may need to generate and mange your own public and private keys.

Private Key

The private key should be a 1024-bit RSA key. Keep the private key securely stored on your server. Your email sending software will need the private key to sign emails that you send. The following unix command will create a private key and an example key is shown below.

openssl genrsa -f4 -out private.key 1024 -----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDSQNiZ63BsGaW7/GzFJJJyeNteudMIDyViqGrfdenVJCMLkWTy
t+IJirzIKdLtAzs0sq75ZtzWCBhxDTmXlMuuuTmBNu4+Wwk2uTXY24YuydxOLxAz
5keSbxTEwiRT1mbAptjZiLxHCJ9gSyL/DtmTiEYaFIoqcvXUqzn0DHsgzwIDAQAB
AoGAFHFBnhWKJLiJqLFuUeywYHjnu1oN7qaqV+FQItHwHk0ZKzLDweWnEI5wtHV8
kJbT1tfYs18Q8a5v0e4bP2W0N+d3bcDFPEz4nJwVxmpxLmVVVugGbQwPJ/MdAPj0
sA34R+sLUBomeWgJJRAzumJgzdbzp1AJk8KM47SnUPDvn6ECQQD9ky+l8SGL7Mv9
OLIta6UCHZf4G47aDaMs0ZolA8ASfVIt4LbAHwt2/hheTxkOtZu/ij0Ntqhgeg7w
AA8SuTdzAkEA1EOZEjwQquqJFEed6b2eP81BNUuKwNkw5S1OsXhHzoE4V7wRNU6B
iNl7ng0qYBzjYnd5PhKDCAL+ZcV7OQ1CNQJBAO35cRE6IHKSE8scp1MrH9vBbDrD
migX/lh0iUZNo7d2d2Zo6vmY6QiOZM41S13boER89tlk39ZTFqu0UnEO8/MCQQC0
DO7/17FvuWgzqpgZmD1u8w9OTNjSwqjGDYuN4HBQi63mReH27LPWCFzicVp7kqWS
dbODYqKBHkD6xOvENintAkAcKohbl+/mqty/TVMB14K3oilm9hnBPmCe7GqjcQDB
+h5v3rvwBn2IY4FBe9WBDRvkiAe9ea8ts5OOyh8O1Nnx
-----END RSA PRIVATE KEY-----
Public Key

The following unix command will create the public key from the private key generated above. An example is shown below.

openssl rsa -in private.key -outform PEM -pubout -out public.key -----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSQNiZ63BsGaW7/GzFJJJyeNte
udMIDyViqGrfdenVJCMLkWTyt+IJirzIKdLtAzs2sq75ZtzWCBhxDTmXlMuuuTmB
Nu4+Wwk2uTXY24YuydxOLxAz5keSbxTEwiRT1mbAptjZiLxHCJ9gSyL/DtmTiEYa
FIoqcvXUqzn0DHsgzwIDAQAB
-----END PUBLIC KEY-----

Remove the header and footer from the public key and remove any spaces or newlines so you have a single string of characters. Place this public key into your DKIM DNS record. For example:

selector._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSQNiZ63BsGaW7/GzFJJJyeNteudMIDyViqGrfdenVJCMLkWTyt+IJirzIKdLtAzs2sq75ZtzWCBhxDTmXlMuuuTmBNu4+Wwk2uTXY24YuydxOLxAz5keSbxTEwiRT1mbAptjZiLxHCJ9gSyL/DtmTiEYaFIoqcvXUqzn0DHsgzwIDAQAB"

Once you have made changes to your SPF, DKIM, and DMARC records, type your domain name into the box below and run a free ValidBot Test to check if everything is correct. Look in the "Email" section of the report to see if you made all the changes correctly.

If you have implemented all of this then you should be able to send email from your domain name and have it pass all the authentication steps that email providers will look for.