Generate DNS Records: a beginner's guide
Emit ready-to-publish SPF, DMARC, DKIM, and MTA-STS values
Record generation: the copy-paste DNS the scanner tells you to add
Record generation is the step in a remediation workflow that produces the actual DNS record text you're supposed to paste into your DNS provider's control panel — not a generic "add DMARC" recommendation, but the literal string `v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; fo=1` with all the values filled in for your specific setup. The gap between "the scanner said to add DMARC" and "I know exactly what text to type" is where most remediation stalls. Tools like dmarcian and EasyDMARC built entire businesses on closing that gap; `reports-generate-records` bakes the same capability into the scan itself.
You should care because the DNS-record translation step is where remediation most often breaks down. A scanner that says "DMARC is missing" is useful, but the team addressing it still has to look up the DMARC syntax, pick an enforcement level, decide on a reporting address, remember whether `sp=` defaults are appropriate, and test the result. Most of those decisions have defensible defaults — the scanner already knows the domain's context, and can produce a correct record without forcing the operator to re-derive every tag. When the scanner emits the record text, the remediation work becomes a copy-paste plus a 24-hour validation cycle instead of a 20-minute research task.
The five categories of records every generator produces:
SPF records. Correct `v=spf1` prefix, include list drawn from the domain's existing senders, appropriate all-qualifier (`-all` for strict, `~all` for phased rollouts), and a DNS-lookup-count sanity check so the generated record doesn't exceed the 10-lookup limit from RFC 7208.
DMARC records. Correct `v=DMARC1` prefix, policy level appropriate to the rollout phase (start at `p=none`, move to `p=quarantine`, end at `p=reject`), reporting addresses, and alignment-mode defaults.
DKIM records. Public keys formatted correctly for each selector and email provider, with the `v=DKIM1` prefix and appropriate key-type parameters (RFC 6376).
MTA-STS policy files. The `_mta-sts` TXT record plus the policy file served at `https://mta-sts.example.com/.well-known/mta-sts.txt`, matching the MX records the domain actually uses.
TLS-RPT records. Reporting addresses for MTA-STS policy violations, sized to handle expected volume.
Three questions a record generator answers:
What's the exact text I need to add to my DNS provider's control panel right now?
Has the generator accounted for my specific set of email senders, MX hosts, and existing records?
Is the generated record guaranteed to validate — or do I still need to run a separate checker against it after publishing?
The cost of scanners that stop at "add DMARC" is remediation work that takes 20 minutes of research per finding and often produces incorrect records on first try. The fix is to bake record generation into the scanner so that the output of the scan is directly actionable. This is one of the highest-leverage UX improvements in the entire security-scanning space: closing the last-mile gap between "identified" and "remediated."
The Generate DNS Records endpoint, in plain language
In one sentence: Emit ready-to-publish [SPF (Sender Policy Framework)](/guides/spf-record-setup-guide), [DMARC (Domain-based Message Authentication, Reporting and Conformance)](/guides/how-to-check-dmarc-record), [DKIM (DomainKeys Identified Mail)](/guides/security-dkim), and [MTA-STS (Mail Transfer Agent Strict Transport Security)](/guides/security-mta-sts) values
Generates syntactically valid, ready-to-publish email-authentication DNS (Domain Name System) records for the requested providers and policy preferences. Output includes SPF (Sender Policy Framework) at the apex, DMARC (Domain-based Message Authentication, Reporting and Conformance) at _dmarc.<domain>, DKIM (DomainKeys Identified Mail) selector TXT hints per provider, MTA-STS (Mail Transfer Agent Strict Transport Security) TXT + policy file body, and TLS-RPT (TLS (Transport Layer Security) Reporting) TXT at _smtp._tls.<domain>. No DNS lookup required — all values are computed from provider metadata.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Accepts a domain plus comma-separated provider list (google_workspace, microsoft_365, sendgrid, mailgun, amazon_ses, mailchimp, zoho, fastmail, etc.) plus optional DMARC (Domain-based Message Authentication, Reporting and Conformance) policy and MTA-STS (Mail Transfer Agent Strict Transport Security) mode. Looks up each provider in an internal provider table and emits the canonical SPF (Sender Policy Framework) include, DKIM (DomainKeys Identified Mail) selector(s), and MX hints. Assembles the full SPF record under the 10-lookup limit. Formats DMARC with rua= pointing to a configurable address. Emits a complete MTA-STS policy file (version/mode/mx/max_age) and the companion DNS (Domain Name System) records. Returns record name, type, TTL (time to live), and value for each, ready to paste into DNS management.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Generate DNS Records tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Writing these records from scratch is error-prone — small syntax errors silently disable the policy. A generator eliminates that class of bug and gives teams a starting point they can diff against an existing configuration.
Picture this in real life. Imagine an email admin. Here's the situation they're walking into: Bring a new domain online — generate a complete email-auth record set based on the chosen providers. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Generate DNS Records tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Generate DNS Records tool is built for you:
Can I get the entire story about a domain in a single report instead of running ten checks?
What is the single document I would share with my team, my client, or my board?
Where should I focus my next hour of work to make the biggest difference?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Account executives prepping a sales call, agencies producing a monthly client deliverable, investors doing diligence, and founders building a board deck. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you have to assemble the same snapshot by hand every time you need it — which means you stop bothering. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/reports/generate-records`.
When would I actually use this?
If you're still on the fence about whether the Generate DNS Records tool belongs in your toolbox, this section is for you. Below you'll meet three real people — an email admin and a devops engineer — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: New Domain Provisioning
Imagine you're an email admin. Bring a new domain online — generate a complete email-auth record set based on the chosen providers.
Why it matters: Minutes to a production-ready email-auth baseline.
Story 2: Provider Migration
Imagine you're an email admin. Moving from one provider to another — generate records for the new provider and diff against current to identify the exact changes to deploy.
Why it matters: Reduce cutover risk.
Story 3: Template Generation for IaC
Imagine you're a devops engineer. Parameterize Terraform/Pulumi modules by consuming generated record values as input.
Why it matters: Consistent DNS (Domain Name System) records across managed domains.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Generate DNS Records tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Right before a sales call, to walk in already knowing the prospect.
For a monthly client status update or executive summary.
During M&A or investor diligence on a target domain.
When you want to share "everything we know about this domain" in a single link.
If you can see yourself in even one of those bullets, the Generate DNS Records tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Generate DNS Records tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Generate DNS Records tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/reports/generate-records?domain=example.com"What you need to provide
You need to provide 2 pieces of information when you call this tool. The table below lays them out side by side, with a real example for each one so you can see exactly what to send.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to generate records for | example.com |
provider | string | Optional | Comma-separated list of email providers (google_workspace, microsoft_365, sendgrid, mailgun, amazon_ses, mailchimp, zoho, fastmail) | google_workspace,sendgrid |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
providers | array | Providers the records target |
records | array | Generated records: name, type, TTL, value, description |
mta_sts_policy_file | object | Policy file content + path for HTTPS://mta-sts.<domain>/.well-known/mta-sts.txt |
warnings | array | Warnings — e.g., SPF (Sender Policy Framework) under 10-lookup budget, DMARC (Domain-based Message Authentication, Reporting and Conformance) aggregate report address not specified |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.
TTL (time to live) — How long, in seconds, a piece of information should be remembered before being looked up again.
SPF (Sender Policy Framework) — A list, published in your DNS, of which servers are allowed to send email pretending to be you. Helps stop spammers from forging your address.
DKIM (DomainKeys Identified Mail) — A digital signature added to every email you send. The receiving mail server checks the signature to make sure the message really came from you and was not changed in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance) — An email rulebook you publish in your DNS. It tells receiving servers what to do with email that fails SPF or DKIM checks — ignore it, send it to spam, or block it entirely.
MTA-STS (Mail Transfer Agent Strict Transport Security) — A way to tell other mail servers "always use encryption when sending email to me, and refuse to fall back to unencrypted delivery."
TLS-RPT (TLS Reporting) — A way for your mail server to receive reports when other servers fail to deliver email to you over a secure connection — pairs with MTA-STS.
TLS (Transport Layer Security) — The encryption that puts the 'S' in HTTPS. It scrambles data so nobody between you and a website can read it.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.