DKIM vs DMARC: What's the Difference?
Understand the difference between DKIM and DMARC, how they work together, and which to set up first for email authentication.
Last updated: 2026-01-28
DKIM and DMARC are both email authentication protocols, but they serve different purposes. Understanding how they differ—and how they work together—is essential for protecting your domain and improving email deliverability.
The Short Answer
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails. It proves the email hasn't been modified and that someone with your private key signed it.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy layer. It tells receiving servers what to do when emails fail authentication—and requires that DKIM or SPF results align with your From address.
Think of it this way: DKIM is a signature on a letter. DMARC is the policy that tells the post office what to do if the signature doesn't match.
How DKIM Works
When you send an email with DKIM enabled:
- Your mail server creates a cryptographic hash of the email content
- The hash is encrypted with your private key
- The encrypted hash (signature) is added to the email header
- Your public key is published in DNS
When the email arrives:
- The receiving server retrieves your public key from DNS
- It decrypts the signature to get the original hash
- It creates its own hash of the email content
- If the hashes match, DKIM passes
DKIM proves the email is authentic and unmodified. But it doesn't tell receiving servers what to do if verification fails.
How DMARC Works
DMARC builds on top of DKIM and SPF. It does three things:
1. Alignment checking: DMARC requires that the domain in your DKIM signature (or SPF check) matches the domain in your From address. This prevents attackers from using their own valid DKIM signature on spoofed emails.
2. Policy enforcement: You specify what receiving servers should do with emails that fail:
p=none: Deliver anyway (monitoring mode)p=quarantine: Send to spam folderp=reject: Don't deliver at all
3. Reporting: Receiving servers send you reports about emails claiming to be from your domain—including failed authentication attempts.
DMARC is published as a DNS record at _dmarc.yourdomain.com. It doesn't add signatures or check IP addresses—it just tells servers how to interpret DKIM and SPF results.
Key Differences
| Aspect | DKIM | DMARC |
|---|---|---|
| Purpose | Signs emails with cryptographic signature | Sets policy for authentication failures |
| How it works | Public/private key cryptography | DNS-published policy record |
| What it checks | Email content integrity | DKIM/SPF alignment with From domain |
| Failure handling | Reports result, takes no action | Specifies deliver/quarantine/reject |
| Reporting | None | Daily aggregate and forensic reports |
| DNS record type | TXT at selector._domainkey.domain | TXT at _dmarc.domain |
How They Work Together
DKIM and DMARC are designed to complement each other. Here's what happens when an email arrives:
DKIM verification
The receiving server checks the DKIM signature. Result: pass, fail, or none.
SPF verification
The receiving server checks if the sending IP is authorized. Result: pass, fail, or none.
DMARC alignment check
If DKIM passed, does the DKIM domain match the From domain? If SPF passed, does the SPF domain match the From domain?
DMARC policy application
If neither DKIM nor SPF passed with alignment, the DMARC policy determines whether to deliver, quarantine, or reject.
An email passes DMARC if either:
- DKIM passes AND the DKIM domain aligns with the From domain
- SPF passes AND the SPF domain aligns with the From domain
You don't need both to pass—just one with proper alignment.
Can You Have One Without the Other?
DKIM without DMARC: Yes, but you're missing the policy layer. Emails will be signed, but receiving servers won't have instructions on what to do if verification fails. You also won't get reports about authentication failures.
DMARC without DKIM: Technically possible if you have SPF, but not recommended. DKIM survives email forwarding better than SPF. Without DKIM, forwarded emails will likely fail DMARC.
DMARC without both DKIM and SPF: DMARC has nothing to check. All emails will fail DMARC (since neither SPF nor DKIM can pass).
Best practice
Implement both DKIM and SPF, then add DMARC. This gives you redundant authentication—if one method fails (like SPF after forwarding), the other can still pass.
Which to Set Up First
The recommended order:
SPF
Quickest to implement. Just a DNS TXT record listing authorized sending IPs. Check yours at spfrecordcheck.com.
DKIM
Requires configuration in your email service and DNS. Most cloud email providers make this straightforward.
DMARC
Start with p=none (monitoring mode) to collect reports without affecting delivery. Once you're confident in your setup, move to p=quarantine and eventually p=reject.
Check your DMARC configuration at dmarcrecordchecker.com.
What About SPF?
SPF (Sender Policy Framework) is the third piece of the email authentication puzzle. While DKIM verifies the message, SPF verifies the sending server.
| Protocol | Verifies | |----------|----------| | SPF | Is this server authorized to send for this domain? | | DKIM | Is this message unmodified and signed by this domain? | | DMARC | Do SPF/DKIM pass AND align? What's the policy? |
For complete email authentication, you need all three. DMARC uses both SPF and DKIM results to make its decision.
Why You Need Both DKIM and DMARC
Having only DKIM leaves gaps in your email security:
No policy enforcement: Without DMARC, receiving servers decide on their own what to do with failed DKIM. Some might deliver, others might reject. You have no control.
No visibility: DMARC reports show you who's sending email claiming to be from your domain. Without them, you're blind to spoofing attempts.
No alignment requirement: Without DMARC, an attacker could use their own valid DKIM key while spoofing your From address. DMARC's alignment requirement prevents this.
Incomplete authentication: Major email providers like Google and Yahoo now expect DMARC for bulk senders. Without it, you may face deliverability issues.
Monitor Your DKIM Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DKIM issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring