SPF vs DKIM vs DMARC: What's the Difference?
SPF, DKIM, and DMARC are the three pillars of email authentication. Each plays a different role, and together they form a complete defense against spoofing, phishing, and deliverability problems.
The Problem: Email Has No Built-In Authentication
The email protocol (SMTP) was designed in the early 1980s without any authentication mechanism. Anyone can send an email claiming to be from any address — there is nothing in the original protocol to prevent it. This design flaw is what makes phishing, spoofing, and business email compromise possible.
SPF, DKIM, and DMARC were developed over the past two decades to retrofit authentication onto email. They work at different layers and complement each other. Understanding how each one works — and how they interact — is essential for anyone managing email infrastructure.
What Is SPF (Sender Policy Framework)?
SPF allows a domain owner to publish a list of IP addresses and servers that are authorized to send email on behalf of their domain. This list is published as a DNS TXT record at the domain's root.
When a receiving mail server gets an email, it checks the SPF record of the envelope sender domain (the MAIL FROM address in the SMTP transaction) and compares the sending server's IP address against the authorized list.
A typical SPF record looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net -all
Limitation: SPF only authenticates the envelope sender, not the visible "From" header that users see in their inbox. This means an attacker can still spoof the visible sender while passing SPF for a different domain.
Verify your SPF record with our SPF Checker.
What Is DKIM (DomainKeys Identified Mail)?
DKIM adds a cryptographic signature to outgoing emails. The sending server signs specific headers and the body of the message using a private key. The corresponding public key is published in DNS as a TXT record.
When the receiving server gets the email, it retrieves the public key from DNS and verifies the signature. If the signature is valid, it proves two things: the email genuinely originated from the claimed domain, and the message content has not been tampered with in transit.
A DKIM signature header looks like this:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; ...
Limitation: DKIM alone does not tell the receiving server what to do when a signature is missing or fails. It provides verification but no policy enforcement.
Check your DKIM setup with our DKIM Checker.
What Is DMARC?
DMARC ties SPF and DKIM together and adds two critical features: alignment checking and policy enforcement. It answers the question that neither SPF nor DKIM can answer alone: "What should I do with emails that fail authentication?"
DMARC checks that the domain authenticated by SPF or DKIM aligns with (matches) the domain in the visible "From" header. This alignment requirement is what closes the spoofing gap that SPF and DKIM leave open individually.
Additionally, DMARC provides a reporting mechanism. Domain owners receive aggregate reports showing which emails passed and failed authentication — giving visibility into who is sending email on their behalf (legitimately or not).
Verify your DMARC configuration with our DMARC Checker.
How SPF, DKIM, and DMARC Work Together
Think of email authentication as a layered security system:
- SPF verifies the sending server is authorized (IP-based check).
- DKIM verifies the message is authentic and unaltered (cryptographic check).
- DMARC enforces that the authenticated domain matches the visible sender and defines what to do on failure (policy + alignment check).
An email passes DMARC if it passes either SPF or DKIM with alignment. This means you need at least one of the two to align with the From header domain. Best practice is to have both SPF and DKIM properly configured, so even if one fails (for example, SPF breaks when forwarding), the other provides a fallback.
Quick Comparison Table
| Feature | SPF | DKIM | DMARC |
|---|---|---|---|
| What it checks | Sending server IP | Message signature | Alignment + policy |
| DNS record type | TXT at domain root | TXT at selector._domainkey | TXT at _dmarc |
| Prevents spoofing? | Partially | Partially | Yes (with enforcement) |
| Provides reports? | No | No | Yes |
| Survives forwarding? | No | Usually yes | Depends on SPF/DKIM |
The Correct Setup Order
Many administrators make the mistake of trying to set up all three at once. Follow this order for a smooth deployment:
- SPF first. Audit all your sending sources (email provider, marketing tools, CRM, transactional email services) and create a comprehensive SPF record.
- DKIM second. Enable DKIM signing on every sending source. Most providers (Google Workspace, Microsoft 365, SendGrid, Mailchimp) support custom DKIM signing.
- DMARC last. Start with
p=noneto monitor, then gradually move top=quarantineand finallyp=reject.
This incremental approach minimizes the risk of accidentally blocking legitimate email. The monitoring phase with DMARC p=none is crucial — it gives you visibility before enforcement.
What Happens Without All Three?
Deploying only one or two of these protocols leaves gaps:
- SPF only: Attackers can still spoof the visible From address. No policy enforcement. No reporting.
- SPF + DKIM without DMARC: Both checks can pass for an attacker's own domain while they spoof yours in the From header. No alignment check, no policy, no reporting.
- DMARC without SPF or DKIM: DMARC has nothing to align against. Every email will fail DMARC because neither underlying protocol passes.
The bottom line: you need all three working together for real protection. Use our free tools to verify each layer of your email authentication: