DEV Community

Cover image for SPF, DKIM & DMARC Generators: How to Create Email Authentication Records
toolbox-poster
toolbox-poster

Posted on • Originally published at toolbox.starnomina.tn

SPF, DKIM & DMARC Generators: How to Create Email Authentication Records

#email #dns #devops #security

TL;DR
SPF, DKIM, and DMARC records are notoriously easy to break with a single typo. Generator tools eliminate syntax errors and guide you through the logic—which IPs to authorize, which policy to enforce, and how to stage the rollout. This guide walks through each generator, covers provider-specific DKIM setup, and provides a proven deployment order.

📑 Table of Contents

  • Why Manual Creation Is Error-Prone
  • SPF Generator Walkthrough
  • DKIM Setup by Provider
  • DMARC Generator Walkthrough
  • Recommended Deployment Order
  • Post-Deployment Monitoring
  • When to Use Generators vs Manual
  • Best Practices
  • Common Mistakes
  • Tools
  • References

Why Manual Creation Is Error-Prone

Email authentication records have strict syntax rules and subtle interactions. Common manual errors include:

  • Mistyped SPF mechanisms (inclue: instead of include:) that silently disable authorization.

  • Exceeding the 10 DNS lookup limit in SPF without realizing nested includes count.

  • Using +all instead of ~all or -all—authorizing the entire internet to send as your domain.

  • Publishing a DMARC record with p=reject before verifying all legitimate senders pass SPF/DKIM.

  • Forgetting the v= version tag or placing it anywhere other than the start of the record.

📖 Definition — An email authentication record generator is a tool that produces syntactically correct DNS TXT records for SPF, DKIM, or DMARC based on your inputs—authorized senders, policy preferences, and reporting addresses.

SPF Generator Walkthrough

An SPF generator builds a valid v=spf1 ... all record by asking you to select your authorized senders:

1. Enter your domain — The generator queries existing SPF records to show your current configuration.

2. Add authorized sources — Select your email providers (Google Workspace, Microsoft 365, SendGrid, etc.). The tool adds the correct include: mechanisms.

3. Add custom IPs — If you run your own mail server, add its IP with the ip4: or ip6: mechanism.

4. Choose the default policy~all (softfail) during testing, -all (hardfail) for production enforcement.

5. Validate — The tool checks for duplicate includes, counts DNS lookups, and flags if you exceed the 10-lookup limit.

; Example generated SPF record
example.com.  3600  IN  TXT  "v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 ~all"
Enter fullscreen mode Exit fullscreen mode

⚠️ Each include:, a, mx, and redirect mechanism triggers a DNS lookup. Nested includes count too. Exceeding 10 total lookups causes a PermError—all SPF checks fail.

DKIM Setup by Provider

DKIM requires generating a key pair and publishing the public key as a DNS TXT record. Each provider handles key generation differently:

Provider Selector Key Generation DNS Record
Google Workspace google Admin Console → Apps → Gmail → Authenticate email → Generate new record Publish at google._domainkey.example.com
Microsoft 365 selector1, selector2 Defender portal → Email authentication → DKIM → Enable CNAME to selector1-example-com._domainkey.example.onmicrosoft.com
SendGrid s1, s2 Settings → Sender Authentication → Authenticate domain CNAME records provided by SendGrid
Mailchimp k1 Website → Domains → Authenticate → DKIM setup CNAME to Mailchimp-provided host
Custom (OpenDKIM) Your choice opendkim-genkey -s selector -d example.com Publish selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=..."

Pro Tip: 💡 Use 2048-bit RSA keys minimum. Some providers default to 1024-bit—upgrade if given the option. The longer key may require splitting across multiple 255-byte DNS strings, which providers handle automatically.

DMARC Generator Walkthrough

A DMARC generator produces a valid v=DMARC1; ... record for the _dmarc.example.com subdomain:

1. Select policy (p=) — Start with none (monitoring only), then escalate to quarantine, and finally reject.

2. Set subdomain policy (sp=) — Optionally set a different policy for subdomains. Defaults to the main policy if omitted.

3. Add aggregate report address (rua=) — Specify where aggregate XML reports are sent: mailto:dmarc-reports@example.com.

4. Add forensic report address (ruf=) — Optional. Many receivers won't send these due to privacy.

5. Set alignment (adkim= / aspf=)r (relaxed) allows subdomain alignment; s (strict) requires exact domain match.

6. Set percentage (pct=) — Apply the policy to a percentage of failing messages. Use pct=10 during rollout, then increase to 100.

; Example generated DMARC record (monitoring phase)
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=r; aspf=r; pct=100"

; Example generated DMARC record (enforcement phase)
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s; pct=100"
Enter fullscreen mode Exit fullscreen mode

Recommended Deployment Order

Deploy email authentication records in this order to avoid breaking legitimate mail:

Phase 1: SPF — Publish an SPF record with all known senders and ~all (softfail). Monitor for 2 weeks.

Phase 2: DKIM — Enable DKIM signing on every sending service. Verify signatures with a DKIM checker. Allow 1–2 weeks for propagation confirmation.

Phase 3: DMARC p=none — Publish DMARC with p=none and rua= to collect reports. Analyze reports for 4–6 weeks.

Phase 4: DMARC p=quarantine — After fixing all legitimate failures, move to quarantine at pct=25, gradually increasing.

Phase 5: DMARC p=reject — Once quarantine shows no legitimate failures, enforce reject at pct=100.

🚫 Never skip straight to p=reject without a monitoring phase. Legitimate mail from forgotten third-party senders will be silently dropped.

Post-Deployment Monitoring

After deploying all three records:

  • Process DMARC aggregate reports weekly to catch new senders or misconfigurations.

  • Run SPF, DKIM, and DMARC checks after any DNS change or sender onboarding.

  • Monitor email deliverability metrics in your email platform's dashboard.

  • Set alerts for SPF lookup count approaching 10 (e.g., when adding new SaaS vendors).

  • Rotate DKIM keys annually with a two-key overlap period to avoid downtime.

When to Use Generators vs Manual

Scenario Approach Why
Initial setup or new domain Generator Eliminates syntax errors and guides through options
Adding a new email provider Generator Validates that the new include doesn't exceed the lookup limit
Minor SPF tweak (one IP change) Manual Simple substitution; generator overhead unnecessary
Complex multi-domain enterprise setup Manual + Validation Generators may not handle subdomain delegation or advanced SPF macros
Troubleshooting a failing record Generator + Checker Regenerate the record and compare against the current one to find the diff

Best Practices

  • Always generate records, then validate with a checker before publishing to DNS.

  • Follow the SPF → DKIM → DMARC deployment order.

  • Use a staging/monitoring period at each phase before escalating DMARC policy.

  • Keep a changelog of all email authentication DNS changes.

  • Test with real email sends after every DNS update—don't rely solely on DNS checks.

Common Mistakes

Mistake Impact Fix
Publishing multiple SPF records SPF PermError; all checks fail Merge into a single TXT record with multiple include:
Deploying DMARC p=reject first Legitimate email from third-party senders is dropped Start at p=none and escalate gradually
Forgetting to enable DKIM signing DKIM always fails; DMARC alignment breaks Enable signing in every email platform and verify with a checker
Not counting nested SPF lookups Exceeding 10 lookups; SPF PermError Use a generator that counts lookups recursively
Publishing DKIM key as a separate TXT record instead of at the selector subdomain DKIM verification fails—key not found Publish at selector._domainkey.example.com, not example.com

Tools

SPF Generator — Build a valid SPF record with lookup counting and duplicate detection.

DMARC Generator — Create a DMARC record with policy, reporting, and alignment options.

DKIM Checker — Verify a published DKIM key and test signature validation.

SPF Checker — Validate your SPF record syntax and count DNS lookups.

DMARC Checker — Verify your DMARC record syntax and policy configuration.

References

  • 📄 RFC 7208 — Sender Policy Framework (SPF)

  • 📄 RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures

  • 📄 RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC)

  • 📄 Google Workspace — Set up SPF to prevent spoofing

  • 📄 Microsoft 365 — Configure DKIM signing

🎯 Key Takeaway: 🎯 Use generators to eliminate syntax errors, but always validate the output with checkers before publishing. Deploy in order—SPF, then DKIM, then DMARC—and never skip the monitoring phase. A rushed p=reject deployment is the fastest way to break your legitimate email.

Originally published on StarNomina ToolBox. Try our free online tools — no signup required.

Top comments (0)