Understanding SPF, DKIM, and DMARC

Why email authentication matters

Email was designed in an era when trust was assumed. The original SMTP protocol has no built-in way to verify that a sender is who they claim to be. This makes it trivially easy to spoof the From address on an email — which is exactly what spammers and phishers exploit every day.

SPF, DKIM, and DMARC were developed to close this gap. Together, they form a layered authentication system that lets receiving mail servers verify your identity and protect your domain from abuse.

SPF: Who is allowed to send?

SPF (Sender Policy Framework) is a DNS TXT record that lists the servers authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks your SPF record to see if the sending server's IP address is on the approved list.

If the IP matches, the SPF check passes. If not, the receiving server knows something is off. RemindMe automatically generates the correct SPF record for your domain — you just need to add it to your DNS settings.

A common pitfall is having multiple SPF records. Each domain can only have one SPF record. If you use multiple email services, combine them into a single record using the include: mechanism.

DKIM: Is the message authentic?

DKIM (DomainKeys Identified Mail) takes a different approach. Instead of checking where the message came from, it checks whether the message was altered in transit. The sending server signs each outgoing email with a private cryptographic key, and the corresponding public key is published as a DNS record.

Receiving servers use the public key to verify the signature. If the message was tampered with after being signed, the verification fails. This protects against man-in-the-middle attacks and gives receiving servers confidence that the email is genuine.

RemindMe generates a unique DKIM key pair for each domain you add. The private key stays on our servers; the public key goes into your DNS records.

DMARC: What happens when checks fail?

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and adds a policy layer. It tells receiving servers what to do when an email fails authentication: deliver it anyway (none), quarantine it (quarantine), or reject it outright (reject).

DMARC also introduces reporting. You can receive daily aggregate reports showing who is sending email using your domain — including unauthorized senders. This visibility is invaluable for catching abuse early.

We recommend starting with a policy of p=none to monitor without affecting delivery. Once you're confident that all legitimate email passes authentication, you can move to p=quarantine and eventually p=reject for maximum protection.

How RemindMe handles this for you

When you add a domain to RemindMe, we generate all the records you need — SPF, DKIM, and a recommended DMARC record — and show them in your dashboard with copy-to-clipboard buttons. Just paste them into your DNS settings and verify.

Our system continuously monitors the health of your DNS records and alerts you if anything changes or expires. You don't need to be a DNS expert to maintain great deliverability.