SPF vs DKIM vs DMARC

SPF, DKIM, and DMARC are the three pillars of email authentication. Each serves a different purpose, and together they protect your domain from spoofing while improving deliverability. Here's how they compare.

The 30-Second Summary

SPF = "Who can send email for my domain?" (server authorization)
DKIM = "Was this email tampered with?" (message integrity)
DMARC = "What happens when authentication fails?" (policy enforcement)

You need all three. They work together, not as alternatives.

Complete Comparison

Feature	SPF	DKIM	DMARC
Primary purpose	Authorize senders	Verify integrity	Enforce policy
What it checks	Sending server IP	Message signature	SPF + DKIM results
DNS record type	TXT	TXT	TXT
Works standalone	Yes	Yes	No
Survives forwarding	No	Usually	Depends
Prevents spoofing	Partially	Partially	Yes
Provides reports	No	No	Yes
Required for Gmail/Yahoo bulk send	Yes	Yes	Yes

How SPF Works

SPF (Sender Policy Framework) publishes a list of authorized sending servers in DNS.

Your SPF record says: "Only these IP addresses and services can send email from @example.com"

v=spf1 include:_spf.google.com include:sendgrid.net -all

When receiving a message, the server:

Looks at the envelope sender (Return-Path)
Queries DNS for that domain's SPF record
Checks if the sending IP is authorized
Passes or fails the email

Limitations:

Checks envelope sender, not the visible From address
Breaks when emails are forwarded
Limited to 10 DNS lookups (easy to exceed)

How DKIM Works

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email.

Your sending server:

Hashes key parts of the message (headers + body)
Signs the hash with your private key
Adds the signature to the email header

Receiving servers:

Extract the DKIM-Signature header
Look up your public key from DNS
Verify the signature is valid
Confirm nothing was modified

Key advantage: Signatures travel with the message, so DKIM usually survives forwarding.

Your DKIM record looks like:

selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

The selector matters

DKIM uses selectors to support multiple keys. You need to know your selector to look up or test your DKIM record.

How DMARC Works

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with policy.

Your DMARC record says: "Here's what to do when SPF or DKIM fails, and here's where to send reports."

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s

Key features:

Policy (p=): none (monitor), quarantine (spam folder), or reject (block)
Alignment: The authenticated domain must match the From header
Reporting: Aggregate and forensic reports show authentication results

DMARC passes when:

SPF passes AND aligns with the From domain, OR
DKIM passes AND aligns with the From domain

Most organizations aim for both to pass.

Why You Need All Three

Each protocol covers gaps the others leave:

SPF without DKIM

Forwarded emails fail authentication. No message integrity verification.

DKIM without SPF

No verification that the sending server was authorized. Signatures can be stripped.

SPF + DKIM without DMARC

No policy enforcement. Failures are just noted, not acted upon. No visibility via reports.

All three together

Complete protection: authorized servers, verified messages, enforced policy, and full visibility.

The Forwarding Problem

This is where the protocols differ most.

Scenario: You email alice@company.com. Alice has email forwarding to her personal Gmail.

SPF result: FAIL. The forwarding server's IP isn't in your SPF record.

DKIM result: PASS (usually). The signature is intact if the forwarder didn't modify the message.

DMARC result: PASS. Only one of SPF or DKIM needs to pass with alignment.

This is why DKIM matters—it provides backup authentication when SPF fails due to forwarding.

Verify your DKIM is working

Don't rely solely on SPF. Make sure DKIM is properly configured.

Test Your DKIM

Implementation Checklist

Inventory your email sources

List every service that sends email as your domain: email provider, marketing tools, CRM, transactional email, support desk, etc.

Configure SPF

Create or update your SPF record to include all sending services. Stay under 10 DNS lookups.

Configure DKIM

Enable DKIM signing in each email service. Add the public key records to your DNS.

Deploy DMARC with p=none

Start monitoring. Collect reports to see what's passing and failing.

Analyze and fix

Review DMARC reports. Fix any legitimate sources that aren't authenticated.

Enforce DMARC

Move from p=none to p=quarantine, then p=reject once everything legitimate passes.

Common Configuration Mistakes

SPF mistakes:

Exceeding the 10 DNS lookup limit
Using +all (allows anyone to send)
Forgetting a sending service (shadow IT is common)
Syntax errors (SPF is unforgiving)

DKIM mistakes:

Wrong selector in the DNS record
Truncated public key (common with 2048-bit keys)
Not enabling DKIM signing in the email service
Forgetting to add records for all sending services

DMARC mistakes:

Jumping to p=reject before proper testing
Not monitoring reports during the p=none phase
Ignoring alignment requirements
Not updating policy as email infrastructure changes

2024+ Requirements

Google and Yahoo's bulk sender requirements now mandate all three:

SPF or DKIM — At minimum, one must pass
DMARC — Required for domains sending over 5,000 messages/day
Alignment — The From domain must align with SPF or DKIM

If you're sending bulk email, these aren't optional anymore.

Checking All Three

You can verify each record with dedicated tools:

Check SPF — Verify your record syntax and included services
Check DKIM — Test your selector and public key validity
Check DMARC — Confirm your policy and reporting addresses

Or monitor all three from a single dashboard that alerts you when anything changes.

Monitor all your email authentication

SPF, DKIM, DMARC, and MX records in one dashboard. Get alerts when something changes.

Start Monitoring

SPF vs DKIM vs DMARC: Complete Comparison Guide