DKIM / SPF / DMARC Record Builder and Validator - Email Authentication DNS TXT Record Generator

First Published: 2026-04-28
Last Updated: 2026-04-28

Build and validate SPF, DKIM, and DMARC DNS TXT records for SES, Google Workspace, Microsoft 365 — entirely in your browser, with Route 53 / BIND ready output.

All processing is performed entirely in your browser using client-side JavaScript. No data is transmitted to any server. This tool does not query DNS. Your domains, email addresses, and public keys never leave your device.

This tool is provided "AS IS" without any warranties of any kind.
The author accepts no responsibility for misconfigured DNS records, mail delivery problems, or security issues arising from incorrect SPF / DKIM / DMARC settings.
This tool builds and validates record syntax offline. It does not verify deployed records over DNS.
Always verify deployed records using dig TXT or your DNS provider's interface before relying on them in production.
By using this tool, you accept full responsibility for any outcomes.

This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no files are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

SPF Builder

Compose an SPF record (RFC 7208). Each mechanism contributes to the DNS lookup count (limit: 10).

Generated record

Route 53 value

BIND zone line

Estimated lookups DNS lookups: 0 / 10

SPF Validator

Paste an existing SPF record (with or without surrounding quotes) to check syntax, lookup count, and common issues.

SPF record

Paste an SPF record above to validate.

DKIM Record Builder

Build a DKIM TXT record (RFC 6376) from an RSA public key in PEM format. The record is automatically split into 255-byte chunks for DNS TXT.

Selector Domain k= (key type) h= (hash algo) s= (service) t= (flags) Note (n=) Public key (PEM)

TXT record name

Generated record

Route 53 value

BIND zone line

DKIM Validator

Paste an existing DKIM TXT record (the value at <selector>._domainkey.<domain>) to check syntax and inspect the embedded RSA public key.

DKIM record

Paste a DKIM record above to validate.

DMARC Record Builder

Build a DMARC TXT record (RFC 7489). The record is published at _dmarc.<domain>.

Domain p= (policy) sp= (subdomain policy) pct= (apply %) adkim= (DKIM align) aspf= (SPF align) fo= (forensic opts) ri= (report interval, sec) rua= (aggregate) ruf= (forensic)

TXT record name

Generated record

Route 53 value

BIND zone line

DMARC Validator

Paste an existing DMARC record to check syntax, policy values, and report addresses.

DMARC record

Paste a DMARC record above to validate.

Combined Domain Health Check

Paste all three records to get an overall grade and a prioritized action plan.

SPF record (TXT at @) DKIM record (TXT at <selector>._domainkey) DMARC record (TXT at _dmarc)

Paste SPF / DKIM / DMARC records and run the health check.

Recent Validations (last 5)

Features

Visual SPF Builder: Add, reorder (drag & drop), and configure mechanisms (include, a, mx, ip4, ip6, exists, redirect, all) with qualifiers (+, -, ~, ?).
SPF Lookup Counter: Live count of DNS lookups consumed by your SPF record (RFC 7208 §4.6.4 limit: 10).
SPF Validator: Diagnose v=spf1 presence, qualifier validity, IPv4/IPv6 syntax, duplicate redirect, missing all, deprecated ptr, and lookup-count overruns.
DKIM Builder: Generate a DKIM TXT record from an RSA public key (PEM). Automatically chunks the value into 255-byte segments for DNS TXT.
RSA Key Strength Detection: Inline ASN.1 parser reads the SubjectPublicKeyInfo modulus and reports the actual bit length (1024 / 2048 / 4096) — flags weak keys.
DKIM Validator: Parses each tag (v, k, h, s, t, p, n, g) and warns on weak hashes, deprecated tags, and revoked selectors.
DMARC Builder: Compose p, sp, pct, adkim, aspf, fo, ri, and rua/ruf reporting addresses with mailto normalization.
DMARC Validator: Catches invalid policy values, missing v/p, malformed mailto: entries, and out-of-range pct.
Combined Health Check: Single-page A–F grade for all three records, with a prioritized action plan.
Route 53 / BIND Output: Each builder emits both quoted Route 53-ready values and BIND zone lines, ready to copy & paste.
Presets: One-click templates for Google Workspace, Amazon SES, Microsoft 365, SendGrid, and DMARC monitor / quarantine / reject postures.
Local-Only History: The last 5 validations are stored in browser localStorage for quick reload — never sent anywhere.
100% Client-Side: No fetch, no XMLHttpRequest, no DNS queries. The tool works fully offline once loaded.

How to Use

Pick a tab: SPF, DKIM, DMARC, or Domain Health Check.
Build: Use the form to compose a new record. The output, Route 53 value, and BIND zone line update live.
Validate: Paste an existing record into the validator. Surrounding quotes (Route 53 / BIND format) are automatically stripped.
Inspect DKIM keys: The DKIM validator decodes the embedded RSA public key, reports the bit length, and flags keys below 2048 bits.
Combined check: On the Domain Health Check tab, paste all three records (or click "Load From Other Tabs") and get an A–F grade with concrete next steps.
Copy: Use the per-output Copy buttons. Route 53 values are quoted; BIND values are emitted as zone-file lines.
Verify: After deploying, run dig TXT example.com, dig TXT selector._domainkey.example.com, and dig TXT _dmarc.example.com to confirm propagation.

Important Notes

This tool builds and validates record syntax offline in your browser. It does not query DNS. Always verify deployed records using dig TXT or your DNS provider's interface.
The DKIM builder accepts the public key only. Generate the key pair on your mail provider (SES / Google Workspace / Microsoft 365) — never paste the private key into a web tool.
SPF DNS lookups (RFC 7208 §4.6.4): include, a, mx, exists, ptr, and redirect each count toward the 10-lookup limit. ip4 and ip6 do not.
The ptr mechanism is deprecated by RFC 7208 §5.5 — avoid using it.
For DMARC, start with p=none and a rua mailbox. Analyze aggregate reports for at least two weeks before promoting to p=quarantine, then to p=reject.
DMARC reporting from external domains requires the receiving domain to publish a _report._dmarc.<reporter> authorization record — outside the scope of this tool.
This tool focuses on syntax and best-practice diagnostics — it does not perform cryptographic verification of DKIM signatures or SPF evaluation against a sample message. Use opendkim-testkey, swaks, or your provider's diagnostics for end-to-end testing.
For an end-to-end walkthrough on AWS, see the related blog post: Setting up DKIM, SPF, and DMARC for Amazon SES with Route 53.
Specifications referenced (linked for convenience — the tool itself does not fetch any URL):
- SPF: RFC 7208
- DKIM: RFC 6376
- DMARC: RFC 7489
- DNS TXT 255-byte chunking: RFC 1035
- X.509 SubjectPublicKeyInfo (RSA): RFC 5280 / RFC 8017

References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi