← All Posts
GuideKien Phan, Founder

Why Email Authentication Is So Confusing (And a Simpler Way)

Yes, it IS confusing — and that's not your fault

You're a developer. You build apps, not email infrastructure. But to send a simple password reset email, you need to understand SPF records, DKIM signatures, DMARC policies, DNS TXT records, CNAME records, key rotation, and alignment modes. This is absurd. Email authentication was designed by committee over 20 years, with each protocol bolted on top of the last to fix problems the previous one didn't solve. The result is a system that works well but is needlessly complex to set up. You shouldn't need a certification to send a receipt email. Let's cut through the jargon.

What each protocol actually does (plain English)

SPF answers one question: 'Is this server allowed to send email for this domain?' It's a DNS record that lists which services can send as you. Think of it as a guest list for your domain's email. DKIM answers a different question: 'Was this email actually sent by this domain, and was it tampered with in transit?' It's a cryptographic signature — like a wax seal on a letter. The receiving server checks the seal against a public key in your DNS. DMARC ties them together: 'What should I do if SPF or DKIM fails?' It's a policy — reject the email, quarantine it, or just report it. That's it. Three questions, three records.

The 3 DNS records you need (copy-paste ready)

Every email provider gives you slightly different records, but they all follow the same pattern. You need exactly 3 records in your DNS. First, an SPF record: a TXT record on your root domain that includes your email provider. Second, a DKIM record: usually a CNAME that points to your provider's DKIM key. Third, a DMARC record: a TXT record on _dmarc.yourdomain.com with your policy. Start with 'p=none' (monitoring only) and tighten later. When you add a domain in AISend, the dashboard shows you these exact 3 records with copy buttons. You don't need to know what they mean — just paste them into your DNS provider.

; Step 1: SPF — paste as TXT record on your root domain
yourdomain.com  TXT  "v=spf1 include:_spf.aisend.app ~all"

; Step 2: DKIM — paste as CNAME record
aisend._domainkey.yourdomain.com  CNAME  aisend._domainkey.aisend.app

; Step 3: DMARC — paste as TXT record
_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:you@yourdomain.com"

The simpler way to start: test without DNS first

Here's what most guides won't tell you: you don't need to finish DNS setup to see your integration work. AISend's shared sender (onboarding@aisend.app / send.aisend.app) already has SPF, DKIM, and DMARC configured, so you can send a real, authenticated test in your first two minutes with no DNS — but only to your own account email. It's a test-to-self lane, on purpose: the shared sender can't deliver to your users, so no one can turn it into a spam relay. The moment you want to email real users, set up the 3 DNS records above for a domain you own (one is included free) and send from hello@yourapp.com. So: test on the shared sender today, verify your domain before you ship to users. Don't let authentication complexity stop you from building.

Cloudflare auto-setup: zero manual DNS

If you use Cloudflare for DNS management, AISend can configure all authentication records automatically. Connect your Cloudflare API token (takes 2 minutes to create), and AISend adds SPF, DKIM, and return-path records to your DNS zone in one click. No copying, no pasting, no wondering if you put the record in the right place. Verification usually completes within 2 minutes. For developers not using Cloudflare, manual setup takes about 5 minutes — copy 3 records from the AISend dashboard to your DNS provider (Route 53, Namecheap, GoDaddy, etc.), click 'Verify', and wait for DNS propagation. Either way, it's a one-time setup that takes minutes, not the hours that most guides make it seem.

Ready to Send Smarter Emails?

3,000 emails/month free. No credit card required.