SPF vs DKIM vs DMARC: What's the Difference & Which Do You Need?

Quick Overview: What Does Each Protocol Do?

Before diving into the details, here is a high-level summary of what SPF, DKIM, and DMARC each bring to the table:

• SPF (Sender Policy Framework) — Defines which mail servers are authorized to send email on behalf of your domain.
• DKIM (DomainKeys Identified Mail) — Adds a cryptographic signature to outgoing emails so receivers can verify the message was not altered in transit.
• DMARC (Domain-based Message Authentication, Reporting & Conformance) — Tells receiving servers what to do when SPF or DKIM checks fail, and provides reporting back to the domain owner.

Side-by-Side Comparison Table

SPF: The Sender Whitelist

SPF works by publishing a DNS TXT record that lists every IP address and mail server authorized to send email for your domain. When a receiving server gets an email, it checks the sending server's IP against your SPF record. If the IP is not listed, the SPF check fails.

SPF is effective but has limitations. It only checks the envelope sender (the Return-Path), not the visible From header that users see. This means an attacker can pass SPF with their own domain while spoofing yours in the From field. SPF also breaks when emails are forwarded, because the forwarding server's IP is not in your SPF record.

Check your SPF record with our free SPF Checker.

DKIM: The Digital Signature

DKIM adds a cryptographic signature to the header of every outgoing email. The sending server signs the message with a private key, and the corresponding public key is published in DNS. Receiving servers use the public key to verify the signature, confirming that the message content has not been modified since it was sent.

Unlike SPF, DKIM survives email forwarding because the signature travels with the message. However, DKIM alone does not tell the receiver what to do if the signature is missing or invalid — that is where DMARC comes in.

Verify your DKIM setup with our free DKIM Checker.

DMARC: The Policy Layer

DMARC is the glue that holds SPF and DKIM together. It introduces two critical capabilities: alignment checking and policy enforcement. Alignment means the domain in the visible From header must match the domain authenticated by SPF or DKIM. This prevents attackers from passing SPF with their own domain while spoofing yours.

DMARC also defines what receivers should do with failing emails: deliver them normally (p=none), send them to spam (p=quarantine), or reject them outright (p=reject). Additionally, DMARC enables aggregate and forensic reporting, giving you visibility into who is sending email as your domain.

Validate your DMARC record with our free DMARC Checker.

How SPF, DKIM, and DMARC Work Together

Think of email authentication as a layered security system. SPF is the first gate — it checks if the sending server is on the approved list. DKIM is the seal — it proves the message has not been tampered with. DMARC is the security policy — it decides what happens when someone fails the checks and reports back to the building owner.

For an email to pass DMARC, it needs to pass either SPF or DKIM (or both) with alignment. This means the domain used in the authentication check must match the domain in the visible From header. Best practice is to ensure both SPF and DKIM pass and align, providing redundancy if one mechanism fails (for example, SPF breaking during forwarding).

Which Protocols Do You Need?

The short answer: all three. Since 2024, Google and Yahoo require SPF, DKIM, and DMARC for anyone sending more than 5,000 emails per day. Even if you send fewer emails, implementing all three is considered best practice and directly improves your deliverability and domain reputation.

The recommended implementation order is:

1. SPF — Simplest to set up. List your authorized senders in a DNS TXT record.
2. DKIM — Requires generating a key pair and configuring your mail server or provider.
3. DMARC — Deploy last, starting with p=none to monitor before enforcing.

Use our Domain Health Check to see the status of all three protocols for your domain in one report.

Frequently Asked Questions

Do I need SPF, DKIM, and DMARC or just one of them?

You need all three. SPF verifies the sending server, DKIM verifies message integrity, and DMARC ties them together with a policy. Using only one or two leaves gaps that attackers can exploit. Google and Yahoo require all three for bulk senders as of 2024.

What is the difference between SPF and DKIM?

SPF checks whether the sending server's IP address is authorized to send email for a domain. DKIM uses cryptographic signatures to verify that the email content has not been altered in transit. SPF validates the sender, while DKIM validates the message.

Can DMARC work without SPF or DKIM?

DMARC requires at least one of SPF or DKIM to pass and align with the From domain. Technically it can work with just one, but best practice is to implement both SPF and DKIM before deploying DMARC for maximum protection.

Which should I set up first — SPF, DKIM, or DMARC?

Set up SPF first (it is the simplest), then DKIM (requires key generation), and finally DMARC (which relies on both). Start DMARC with p=none to monitor before enforcing a quarantine or reject policy.

What happens if I only have SPF but not DKIM or DMARC?

With only SPF, receiving servers can check if the sending IP is authorized, but they cannot verify message integrity (no DKIM) or enforce a domain-level policy on failures (no DMARC). Attackers can still spoof your domain in the visible From header without DMARC alignment checks.