D
DKIM Test

DKIM vs DMARC: What's the Difference?

Understand the difference between DKIM and DMARC email authentication. Learn how they work together and why DMARC depends on DKIM.

Last updated: 2026-01-28

DKIM and DMARC work together but serve different roles. DKIM provides the authentication; DMARC provides the policy. Understanding this relationship is key to email security.

The Short Answer

DKIM cryptographically signs your emails to prove authenticity.

DMARC tells receiving servers what to do when emails fail authentication.

DMARC depends on DKIM (and SPF). You can't have effective DMARC without DKIM in place.

Quick Comparison

AspectDKIMDMARC
PurposeAuthenticate messagesEnforce policy
How it worksCryptographic signaturePolicy rules + reporting
Standalone?YesNo (needs SPF or DKIM)
ReportsNoYes (aggregate + forensic)
Action on failureFlag onlyReject, quarantine, or none
Prevents spoofingPartiallyYes (when enforced)

How DKIM Works

DKIM (DomainKeys Identified Mail) signs outgoing emails with a cryptographic signature.

When you send an email:

  1. Your email server creates a hash of the message
  2. Signs the hash with your private key
  3. Adds the signature to the email header

When someone receives it:

  1. Their server extracts the signature
  2. Looks up your public key in DNS
  3. Verifies the signature matches
  4. Confirms the message wasn't tampered with

DKIM answers: "Is this email really from who it claims to be?"

How DMARC Works

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on top of SPF and DKIM.

Your DMARC record specifies:

  • Policy: What to do with failing emails (none, quarantine, reject)
  • Alignment: Whether the From domain must match SPF/DKIM domains
  • Reporting: Where to send aggregate and forensic reports

A DMARC record looks like:

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s

This says: "Reject emails that fail authentication. Send reports to dmarc@example.com. Require strict alignment for both DKIM and SPF."

DMARC answers: "What should receivers do when authentication fails?"

DMARC requires either SPF or DKIM to pass with alignment. Most security-conscious organizations require both.

Why DMARC Needs DKIM

DMARC doesn't authenticate anything itself. It's a policy layer on top of SPF and DKIM.

Without DKIM and SPF:

  • DMARC has nothing to check
  • No authentication data to evaluate
  • Policy can't be enforced

Think of it this way:

  • SPF and DKIM = The locks on your door
  • DMARC = The rules for what happens when someone tries to pick the locks

The Alignment Requirement

DMARC introduces "alignment"—the domain in the From header must align with:

  • The domain that passed SPF (envelope sender), OR
  • The domain that passed DKIM (d= value in signature)

This prevents attackers from:

  • Using your domain in the visible From address
  • While sending from their own authenticated domain

Example attack without DMARC:

From: ceo@yourcompany.com  (visible to recipient)
DKIM signed by: attacker.com  (passes DKIM, but wrong domain)

With DMARC alignment, this fails because the DKIM domain doesn't match the From domain.

DMARC Policies

DMARC offers three policy levels:

PolicyActionWhen to Use
p=noneMonitor onlyInitial deployment, gathering data
p=quarantineSend to spamTransition phase
p=rejectBlock entirelyFull enforcement

Most organizations start with p=none to collect reports, then gradually move to p=reject.

DMARC Reporting

One of DMARC's biggest advantages: visibility.

Aggregate reports (rua) show:

  • Which IPs are sending email for your domain
  • SPF and DKIM pass/fail rates
  • Alignment results

Forensic reports (ruf) provide:

  • Details about individual failing emails
  • Useful for identifying spoofing attempts

This visibility helps you discover:

  • Legitimate services you forgot to authorize
  • Attackers trying to spoof your domain
  • Configuration problems with SPF or DKIM

Check your DKIM before enabling DMARC

Make sure DKIM is working before enforcing DMARC policy.

Test Your DKIM

Implementation Order

The right sequence:

1

Configure SPF

List all servers authorized to send email for your domain.

2

Configure DKIM

Enable signing for all email services. Publish public keys in DNS.

3

Deploy DMARC with p=none

Start collecting reports. Don't enforce yet.

4

Analyze reports

Identify legitimate sources not covered by SPF/DKIM. Fix gaps.

5

Move to p=reject

Once you're confident all legitimate email passes, enforce the policy.

Common Mistakes

Setting DMARC to reject too early: Without proper SPF and DKIM coverage, you'll block your own legitimate email.

Forgetting alignment: SPF and DKIM might pass, but if the domains don't align with your From address, DMARC still fails.

Not reading reports: DMARC reports tell you exactly what's failing and why. Ignoring them defeats the purpose of the monitoring phase.

Skipping DKIM: SPF alone often fails on forwarded email. DKIM provides backup authentication that survives forwarding.

Do You Need Both?

Yes, but for different reasons:

  • DKIM without DMARC: Your emails are signed, but failures have no consequences. Attackers can still spoof your domain.

  • DMARC without DKIM: You're relying entirely on SPF, which breaks when emails are forwarded. Less robust protection.

  • Both together: Proper authentication plus policy enforcement. This is the standard for email security in 2026.

Related Articles

Monitor SPF, DKIM, and DMARC together

Get alerts when any email authentication record changes. Fix issues before they impact deliverability.

Start Monitoring