Skip to content
fixyour.page

DKIM/SPF Generator

Generate DKIM and SPF DNS records for email authentication.

Your data stays in your browser
Email Provider
SPF Settings
SPF policy
DKIM Settings
Key type
DNS Records
;; SPF Record
;; Add as a TXT record on example.com
example.com.    IN    TXT    "v=spf1 include:_spf.google.com ~all"

;; DKIM Record
;; Add as a TXT record on google._domainkey.example.com
google._domainkey.example.com.    IN    TXT    "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_HERE"

Related Tools

Email Header Analyzer

Parse raw email headers to trace delivery path, authentication, and delays.

Use tool →

Email Compatibility

Check HTML email code for rendering issues across Gmail, Outlook, and Apple Mail.

Use tool →

Email Signature Generator

Create professional email signatures that work in Gmail, Outlook, and Apple Mail.

Use tool →

Subject Line Analyzer

Score email subject lines for length, power words, spam triggers, and mobile preview.

Use tool →

How to Set Up DKIM and SPF Records

Pick your email provider, configure your SPF policy and any additional IP addresses or include domains, then enter your DKIM selector and domain. The generator builds the DNS TXT records you need to copy into your domain's DNS settings. If you're using Google Workspace or Microsoft 365, the include domains and selectors are pre-filled — just add your domain name and paste the public key from your provider's admin console.

What Is SPF and Why You Need It

SPF (Sender Policy Framework) tells receiving mail servers which IP addresses and services are allowed to send email on behalf of your domain. Without an SPF record, anyone can forge your domain in the "From" address and your legitimate emails are more likely to land in spam. The record is published as a DNS TXT entry on your root domain and starts with "v=spf1" followed by the mechanisms (include, ip4, mx, a) and a policy directive (~all, -all, or ?all) that tells receivers what to do with unauthorized senders.

Understanding DKIM Authentication

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The sending server signs the message with a private key, and the receiving server verifies it using a public key published in your DNS. If the signature matches, the receiver knows the message wasn't tampered with in transit and that it came from an authorized source. The DKIM record is a TXT entry at selector._domainkey.yourdomain.com, where the selector is assigned by your email provider.

What's the difference between SPF and DKIM? +
SPF verifies the sending server — it checks whether the IP address that delivered the message is authorized by the domain. DKIM verifies the message itself — it proves the content wasn't altered after it left the sender. SPF answers "did this come from an allowed server?" while DKIM answers "is this the same message that was sent?" You need both for proper DMARC alignment, and most email providers require both to maximize deliverability.
Should I use soft fail or hard fail? +
Soft fail (~all) is the safer default. It tells receiving servers to accept but flag unauthorized messages. Hard fail (-all) tells them to reject unauthorized messages outright. Start with soft fail while you're setting up, and switch to hard fail once you've confirmed all your legitimate sending sources are in the SPF record. If you use hard fail with missing includes, your own email will get rejected.
How do I add these records to my DNS? +
Log into your domain registrar or DNS hosting provider (Cloudflare, GoDaddy, Namecheap, Route 53, etc.), find the DNS management section, and add new TXT records. For SPF, the host/name is your root domain (often "@") and the value is the full "v=spf1 ..." string. For DKIM, the host/name is the selector._domainkey subdomain and the value is the "v=DKIM1; ..." string. DNS changes can take up to 48 hours to propagate, but most providers update within minutes.
Do I need both SPF and DKIM? +
Yes. Google and Yahoo now require both SPF and DKIM for bulk senders. Even if you're not sending at volume, having both dramatically improves deliverability and is required for DMARC compliance. SPF alone can break when emails are forwarded (the forwarding server's IP isn't in your SPF record), but DKIM survives forwarding because the signature travels with the message. Together they cover each other's weaknesses.
↑ Back to top