SPF vs DKIM vs DMARC: What's the Difference?
SPF, DKIM, and DMARC work together to authenticate your email. Learn what each does, how they complement each other, and why you need all three.
SPF, DKIM, and DMARC are three protocols that authenticate email. Each does something different, but they work together as a system. You need all three for proper email security and deliverability.
This guide explains what each protocol does, how they complement each other, and why missing any one of them leaves gaps in your email authentication.
What SPF Does
SPF (Sender Policy Framework) answers one question: is this server allowed to send email for this domain?
When you send an email, it travels from your mail server to the recipient's mail server. The receiving server sees the IP address of the sending server and the domain in the "envelope from" address. SPF lets the receiver check whether that IP address is authorized.
Your SPF record is a DNS TXT record that lists every server permitted to send email as your domain:
v=spf1 include:_spf.google.com include:sendgrid.net -all
This says: Google's servers can send for us. SendGrid's servers can send for us. Everyone else should fail (-all).
When email arrives, the receiving server:
- Extracts the domain from the envelope sender
- Looks up that domain's SPF record
- Checks if the sending IP is in the authorized list
- Assigns a pass, fail, softfail, or neutral result
Check your SPF record to verify it's configured correctly.
SPF Limitations
SPF only verifies the envelope sender (also called return-path or bounce address), not the "From" header that recipients see. A spammer could pass SPF using their own domain in the envelope while showing your domain in the From header.
SPF also breaks when email is forwarded. If someone forwards your email to another address, the forwarding server's IP isn't in your SPF record, so the forwarded copy fails SPF.
What DKIM Does
DKIM (DomainKeys Identified Mail) answers a different question: is this email actually from who it claims to be from, and has it been modified?
DKIM adds a cryptographic signature to your email headers. You publish the public key in DNS, and receiving servers use it to verify the signature. If the signature matches, the email is authentic and unaltered.
The process works like this:
- Your mail server creates a signature using a private key
- The signature covers specific headers and the body
- The signature is added to the email headers
- The public key is published in DNS at a selector you choose
- Receiving servers look up the key and verify the signature
A DKIM DNS record looks like:
selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."
Test your DKIM configuration to verify signatures are working.
DKIM Advantages
Unlike SPF, DKIM survives forwarding. The signature is part of the email itself, so it remains valid even when the email passes through other servers.
DKIM also verifies the visible "From" domain (through DMARC alignment), not just the envelope sender. This is what recipients actually see.
DKIM Limitations
DKIM only proves the email came from a server with access to the private key. It doesn't say whether that server was authorized to send for the domain. A compromised server could sign emails with a valid key.
DKIM also doesn't tell receiving servers what to do when verification fails. Should they reject the email? Quarantine it? Let it through?
What DMARC Does
DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together. It answers two questions SPF and DKIM leave open:
- When authentication fails, what should receiving servers do?
- How do SPF and DKIM relate to the From header domain that recipients see?
A DMARC record looks like:
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com"
DMARC Policy
The p= tag tells receivers what to do with failing email:
- none: Monitor only. Don't take action, but send reports.
- quarantine: Put failing emails in spam.
- reject: Block failing emails entirely.
This gives you control. SPF and DKIM can only pass or fail — DMARC says what that failure means.
DMARC Alignment
DMARC requires that SPF or DKIM (or both) not only pass but also align with the From header domain. This closes the gap where SPF passes for one domain but the From header shows a different domain.
Alignment can be:
- Strict: Domains must match exactly
- Relaxed: Subdomains are allowed (mail.yourdomain.com aligns with yourdomain.com)
DMARC Reporting
DMARC sends you reports about all email claiming to be from your domain:
- Aggregate reports (rua): Daily summaries of authentication results
- Forensic reports (ruf): Details about specific failures
These reports help you:
- See who's sending email as your domain (including attackers)
- Identify authentication problems with legitimate services
- Track your authentication success rate over time
Check your DMARC policy to see how you're configured.
How They Work Together
Each protocol fills gaps the others leave:
| Feature | SPF | DKIM | DMARC |
|---|---|---|---|
| Verifies sending server | Yes | No | No |
| Verifies email content | No | Yes | No |
| Survives forwarding | No | Yes | Depends |
| Controls failure handling | No | No | Yes |
| Aligns with From header | No | No | Yes |
| Provides reporting | No | No | Yes |
SPF says who can send. DKIM proves the email is authentic. DMARC connects them to the From header and decides what happens when things fail.
A Real-World Example
Imagine a phisher trying to send email as your domain:
Without any authentication: The phishing email arrives with your domain in the From header. Recipients have no way to know it's fake.
With only SPF: The email fails SPF because the phisher's server isn't authorized. But the receiver might still deliver it. And if the phisher uses their own envelope sender domain, SPF passes entirely.
With SPF and DKIM: The email fails both SPF and DKIM. Better, but receivers still might deliver it, and the lack of DMARC means they don't know that's wrong.
With SPF, DKIM, and DMARC: The email fails DMARC because neither SPF nor DKIM align with the From header. Your DMARC policy tells receivers to reject it. You get a report showing someone tried to spoof your domain.
Do You Need All Three?
Yes. Here's why each matters:
Why You Need SPF
SPF is the simplest check and most widely supported. Many receiving servers check SPF first and reject obvious failures before doing anything else. Without SPF, your email lacks basic authorization.
Why You Need DKIM
DKIM survives forwarding where SPF fails. It also provides cryptographic proof that your email is authentic and unaltered — important for high-stakes communications.
Why You Need DMARC
Without DMARC, you don't control what happens when authentication fails. Receivers make their own decisions, which might mean delivering spoofed email. DMARC lets you set policy and gives you visibility into authentication across all receiving servers.
Gmail, Yahoo, and Microsoft now require DMARC for bulk senders. Even if you're not a bulk sender, DMARC protects your domain from being used in phishing attacks against others.
Common Misconceptions
"SPF is enough"
SPF alone doesn't prevent the From header from being spoofed. DMARC alignment is what connects authentication to what recipients see.
"DKIM is too complicated"
Modern email services handle DKIM key generation and signing automatically. You just need to add a DNS record they provide.
"DMARC will break my email"
Start with p=none to monitor without affecting delivery. Review reports to ensure all legitimate sources pass authentication before increasing to quarantine or reject.
"I don't send marketing email, so this doesn't matter"
Transactional email (password resets, receipts, notifications) needs authentication too. And even if you send no email at all, attackers could use your domain to phish others. DMARC protects your domain's reputation.
"I set this up once, so I'm done"
Authentication can break. DNS changes, new email services, provider migrations — any of these can invalidate your setup. Ongoing monitoring catches problems before they affect deliverability.
Setting Up All Three
The order matters:
- SPF first: List all services that send email for your domain. This is the foundation.
- DKIM second: Configure signing with each email service and add their DNS records.
- DMARC third: Start with
p=noneto collect data, then strengthen policy once you've confirmed legitimate email passes.
Each step requires DNS changes. Plan for propagation time between steps, and test after each change.
Stop Worrying About Email Deliverability
The Email Deliverability Suite monitors your SPF, DKIM, DMARC, MX records and blacklist status daily. Get alerts when something breaks — before your emails stop arriving.
Monitor everything, automatically
SPF, DKIM, DMARC, MX, and blacklist monitoring for unlimited domains. $39/month.