📨 SPF Record Builder

SPF (Sender Policy Framework) is a DNS record that lists exactly which servers are allowed to send email for your domain. Without it, anyone could send mail claiming to be from you, which makes it much harder for your emails to reach the inbox.

We recommend starting with ~all (SoftFail). This flags unauthorized emails without blocking them, which prevents accidental delivery issues if your mail is forwarded. Once you're sure all your senders are listed correctly, you can switch to the stricter -all (Fail) mode.

SPF has a strict limit of 10 DNS lookups. Every service you add (like Google or Mailchimp) counts towards this. If you exceed 10, your SPF check will fail and your emails might go to spam. Our builder has a live counter to help you stay within this limit.

Yes. SPF checks the technical "sending" server, but it doesn't protect the visible "From" address your customers see. DMARC closes this loophole and gives you reports on who is using your domain. You need SPF, DKIM, and DMARC working together for full protection.

A parked or non-sending domain is one that you own but never use for email. These domains are often targeted by spammers to send fake mail. Using the Parked Domain toggle above will generate a set of records to completely lock down the domain and prevent abuse.

If your domain hosts a live website but you never send email from it, you can still lock down the email side. However, you should skip the CAA records, as these can interfere with your website's security certificate renewal.

✅ Safe to add for any domain:

• SPF v=spf1 -all: Tells servers you never send email. This is purely for mail and won't affect your website.
• DMARC p=reject: Instructs servers to reject any fake mail claiming to be from you. Safe for all websites.
• Null MX 0 .: Signals that you don't receive email. Won't affect web traffic.

⚠️ Skip these if you have a live website:

• CAA Records: These records control which companies can issue security certificates for your site. If you block all issuers, your website's HTTPS certificate might fail to renew, causing a security error for visitors.

All five records are added through your DNS provider's control panel, the same place where you manage your SPF, MX, and other DNS records (e.g. Cloudflare, GoDaddy, Namecheap, AWS Route 53, cPanel). Here is a record-by-record guide.

1. DMARC (TXT record)
Create a new TXT record. Set the Name / Host to _dmarc and paste the full value v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; into the Value / Content field. Leave TTL at the default (usually 3600). This is a single record and the value goes in one field exactly as shown.

2. Null MX (MX record)
Create a new MX record at @ (the root of your domain). Most providers show two fields: set Priority to 0 and Mail Server / Target to . (a single dot). If your provider shows only one value field, enter 0 . as a combined value. The dot is intentional. It is a DNS convention meaning "no mail server." This record (defined in RFC 7505) tells other mail servers that this domain will never receive email, which prevents backscatter spam where your domain is used as a fake bounce address.

3. Wildcard DKIM Revocation (TXT record)
Create a new TXT record. Set the Name / Host to *._domainkey. Type the asterisk literally; it is a DNS wildcard label. Set the value to v=DKIM1; p= (with nothing after the equals sign). The empty p= field is how RFC 6376 signals that all DKIM keys for this domain have been revoked. Most major DNS providers (Cloudflare, AWS Route 53, Google Domains) support wildcard TXT records. If yours does not, skip this record and note the omission.

4 & 5. CAA records (block certificate issuance)
CAA (Certification Authority Authorisation) records tell certificate authorities (CAs) whether they are permitted to issue TLS/SSL certificates for your domain. You need to add two separate CAA records, both at @.

CAA records have three components:

• Flags: always 0 for standard use
• Tag: issue controls standard certificates; issuewild controls wildcard certificates
• Value: the name of an authorised CA, or ; (a semicolon) to authorise nobody

The semicolon value is not a typo. It is the standard way to express a blanket block. An empty value or semicolon means "no CA is permitted."

Most DNS providers use one of two layouts for CAA records. Identify which your provider uses and follow the matching instructions:

Layout A: Split fields (Cloudflare, Hostinger, Namecheap, GoDaddy, Porkbun, and most modern control panels)
Your provider shows separate fields for Flag / Flags, Tag, and CA domain / CA domain name / Value. Fill them in as follows:

• Flag / Flags: enter 0. Some providers (e.g. Cloudflare) pre-fill this, so just leave it as is.
• Tag: select from the dropdown. Raw values are issue and issuewild. Cloudflare uses human-readable labels. Choose "Only allow specific hostnames" for issue and "Only allow wildcards" for issuewild. Other providers (Hostinger, GoDaddy, Namecheap) typically show the raw tag names directly.
• CA domain / CA domain name / Value: enter ; (a single semicolon). Even though the field is marked required, a semicolon is the correct and complete value. It is the standard way to express "no CA is authorised to issue certificates for this domain." Do not leave it blank if the field is required.

Layout B: Single value field (cPanel, WHM, some older registrar editors)
Your provider shows one text field for the entire record value. Paste the complete value: 0 issue ";" for the first record and 0 issuewild ";" for the second, including the quotes around the semicolon.

AWS Route 53: uses a single value field. Enter 0 issue ";" with the quotes. Route 53 stores it exactly as typed.

You end up with two CAA records at @: one for issue (blocks standard certificates) and one for issuewild (blocks wildcard certificates like *.yourdomain.com). Both are required to fully prevent any CA from issuing any certificate for this domain.