How It Works

The generator turns a small set of inputs—your domain, verification tokens, and email security preferences—into ready-to-publish TXT records. It follows the canonical record formats used by DNS hosts and mail receivers, and it also builds a zone-file style snippet when you want something you can paste into documentation or infrastructure code.

Because TXT records often contain semicolons, spaces, and special prefixes, the tool keeps the value formatting consistent and readable. For providers that display TXT values with quotes, the generator also presents an explicit quoted representation so you can see exactly what will be published.

Step-by-step flow

• 1) Enter your domain: Use the root domain you control (for example, example.com). The generator uses it to suggest realistic report addresses and consistent hostnames.
• 2) Pick the records you need: Generate a Google Workspace verification TXT record, an SPF TXT record, a DMARC TXT record, or all three at once.
• 3) Choose SPF senders: Enable Google’s SPF include, add A/MX mechanisms, and optionally list IP addresses or additional include domains for third‑party services.
• 4) Choose a DMARC policy: Select none, quarantine, or reject, then optionally add aggregate (RUA) and forensic (RUF) report mailboxes, alignment settings, and reporting intervals.
• 5) Copy and publish: The output is presented as clear record cards and as a combined “zone snippet” you can copy or download as a text file.
• 6) Verify after publishing: Once DNS is updated, confirm with a DNS TXT lookup and test mail authentication (SPF pass, DMARC pass/aligned) to ensure receivers see your intended configuration.

For most domains, the easiest path is to publish all three records: verify with Google, authorize senders with SPF, and protect the domain with DMARC. Even if you use a different mailbox provider later, SPF and DMARC remain foundational records for deliverability and spoofing protection.

Key Features

Google Workspace verification record

Google uses TXT verification to confirm domain ownership during setup. Paste the verification token you receive from the Google Admin console and the generator produces a valid TXT value. If you paste the full string (including the google-site-verification= prefix) the tool preserves it; if you paste only the token, it adds the prefix automatically.

This approach helps in two common situations: when you are copying the token from an onboarding wizard, and when you are reusing a verification string from an older setup that already includes the prefix. Either way, you get a single, correct TXT value to publish at the root hostname.

SPF builder with safe defaults

Create an SPF record that authorizes the systems allowed to send mail for your domain. The builder supports Google Workspace includes, standard a and mx mechanisms, explicit ip4/ip6 entries, and additional include domains for transactional mail services.

Many domains send mail from more than one platform—Google Workspace for staff mailboxes, a helpdesk system for support tickets, and a marketing tool for newsletters. The generator helps you combine those sources into a single SPF policy at the root, which is important because publishing multiple SPF records can cause receivers to treat SPF as a permanent failure.

DMARC builder for modern deliverability

Generate a DMARC record at _dmarc with your chosen enforcement policy and alignment settings. Use an observation phase (p=none) to monitor first, then tighten to quarantine or reject once you confirm legitimate traffic is aligned.

DMARC is the policy layer that tells receivers what to do when SPF and DKIM do not align with your domain. Even without advanced options, a basic DMARC record can improve visibility into spoofing attempts. With stronger policies, it becomes one of the most effective tools for protecting brand identity in email.

Alignment and reporting controls

Choose relaxed or strict alignment for SPF (aspf) and DKIM (adkim) to match your organization’s risk tolerance and sending architecture. Add report mailboxes for aggregate data (rua) and forensic samples (ruf) when you have a team or vendor ready to process them. You can also set a reporting interval (ri) and optionally a subdomain policy (sp) when you manage many subdomains.

These options matter because some organizations send from subdomains (like mail.example.com or news.example.com) and want consistent enforcement across the whole namespace. The generator keeps the knobs understandable while still producing standards-compliant output.

Copy, export, and handoff

Copy individual record values or a full zone-file snippet with a single click. Download the results as a plain text file so you can attach it to change requests, send it to clients, or store it alongside infrastructure notes.

For teams using infrastructure-as-code, the zone snippet is also a quick bridge from “what should we publish?” to “how do we encode this in Terraform, Cloudflare, Route 53, or another DNS system?” While syntax differs between providers, having an authoritative source string reduces mistakes during translation.

Provider-friendly formatting

DNS providers vary in how they display TXT values, but the underlying string must be correct. The generator produces the canonical values and also creates a quoted zone-file representation that is widely understood by DNS engineers. When a record is long, it can be displayed as multiple quoted chunks in zone format while representing the same TXT value.

This makes it easier to troubleshoot: if a receiver reports a parsing error, you can compare the generated canonical value against what your DNS host actually published and spot differences such as missing semicolons, extra spaces, or truncated strings.

Use Cases

• Set up Google Workspace for a new domain: Verify ownership via TXT and publish SPF/DMARC to protect your brand from spoofing.
• Migrate mail providers: During a move to Google Workspace or away from it, rebuild SPF and DMARC with a clean, readable policy that matches the new sending sources.
• Fix “SPF fail” or “DMARC fail” deliverability issues: Reconstruct records with the right includes, mechanisms, and alignment options, then retest sending to common receivers.
• Harden email security: Move from monitoring to enforcement with DMARC quarantine/reject and strict alignment when your ecosystem is stable.
• Reduce phishing surface area: A stronger DMARC policy can reduce the success rate of spoofed “CEO fraud” and look‑alike attacks that rely on unauthenticated mail.
• Prepare documentation for IT handoff: Export a zone snippet for tickets, runbooks, and infrastructure-as-code repositories.
• Agencies and MSP workflows: Generate consistent records for many clients and store outputs in project notes so the same record can be audited later.
• Multi-sender environments: Combine Google Workspace with additional senders like helpdesk tools, marketing platforms, or SMTP relays without accidentally creating multiple SPF records.

Whether you manage a single small business domain or many client properties, the output is designed to be quick to apply and easy to verify after publishing. The goal is to remove the formatting burden so you can focus on correctness: verifying the right domain, allowing only legitimate senders, and enforcing a policy that reflects your security posture.

Optimization Tips

Start DMARC in monitoring mode

If DMARC is new for your domain, begin with p=none and set an aggregate report mailbox (rua). Review who is sending mail on your behalf and confirm that legitimate sources authenticate correctly. Once you trust the results, move to p=quarantine and later p=reject.

Monitoring first is especially useful when multiple teams send email: customer support, billing, marketing, and system notifications may each use different services. DMARC reports help you discover forgotten senders before you enforce stricter policies.

Keep SPF under control

SPF has practical DNS lookup limits for mechanisms that cause lookups. Prefer a single authoritative include for a major provider (such as Google) and avoid stacking too many nested includes. Remove unused services and consolidate where possible.

If you hit lookup limits, receivers can treat SPF as a permerror, which can negatively impact deliverability. Periodic SPF cleanup—especially after changing marketing tools or SMTP relays—keeps the record reliable.

Use strict policies when you are ready

A strict SPF policy (-all) can be beneficial after you confirm every legitimate sender is covered. Likewise, DMARC reject is most effective once alignment is consistently passing for real traffic. When moving to enforcement, consider a gradual approach with pct to apply policy to a smaller percentage of mail while you validate real-world impact.

In high-volume domains, even small misconfigurations can create noticeable bounces. The safest path is incremental: tighten controls with measurement, then lock them in once reports show stable passing rates.

FAQ