MailGuard — DMARC, SPF & DKIM Wizard

What it is

A DMARC/SPF/DKIM configurator that takes the rollout from a wizard to a finished set of DNS records. You pick the ESPs you use, the policy stance (observe → quarantine → reject), and the reporting mailbox. You paste in any existing records. The tool generates what to publish next and audits what you have now.

What it actually does

• SPF builder — checkboxes for 10 pre-configured ESPs (Google Workspace, Microsoft 365, SendGrid, Mailgun, Postmark, Amazon SES, Mailchimp/Mandrill, HubSpot, Klaviyo, Salesforce) plus free-form IPs/hosts. Counts DNS lookups, enforces the RFC 7208 §4.6.4 limit of 10.
• DMARC builder — generates v=DMARC1; p=…; sp=…; pct=100; rua=mailto:…; fo=1; adkim=r; aspf=r with sensible defaults; explains every tag.
• DKIM placeholder — emits the selector1._domainkey host with v=DKIM1; k=rsa; p=… so the operator knows exactly where to paste the ESP-provided public key.
• BIMI placeholder — optional logo record at default._bimi.
• Audit mode — paste your current SPF + DMARC, get findings: +all (BAD), ~all during rollout (WARN), -all (OK), too-many-lookups (BAD, recipients PermError), p=none (WARN, observe-only), missing rua (WARN, flying blind), pct < 100 with p=reject (WARN, partial enforcement).

Four fixtures cover the wild: no records yet, weak p=none + ~all, a strong baseline, and the classic too-many-lookups trap.

Why it matters

Most domains drift toward broken email auth — every new ESP added is one more include: toward the lookup limit. The day Google ESP says “your mail is going to spam” is usually the day someone discovers the SPF record has been over the limit for three months.

This is the tool you run before adding the ninth ESP.

How it ships

Single HTML file, ~24KB. Zero dependencies. The SPF/DMARC parser, lookup counter, ESP catalog, and tag-meaning database are 370 lines of vanilla JavaScript.

Open the tool →