D
DKIM Test

SPF, DKIM, and DMARC Explained: The Complete Guide

Understand how SPF, DKIM, and DMARC work together to authenticate email and protect your domain from spoofing. Learn what each protocol does and how to set them up.

Last updated: 2026-01-28

SPF, DKIM, and DMARC are the three pillars of email authentication. Together, they verify that emails actually come from who they claim to be from—and tell receiving servers what to do when they don't.

If you're confused about how these protocols relate to each other, you're not alone. This guide explains each one, how they work together, and how to set them up.

The Big Picture

Each protocol solves a different part of the email authentication puzzle:

| Protocol | What It Does | Analogy | |----------|--------------|---------| | SPF | Lists which servers can send email for your domain | A guest list for a party | | DKIM | Adds a cryptographic signature to prove the email is authentic | A wax seal on a letter | | DMARC | Tells receivers what to do when SPF/DKIM fail | Instructions for the bouncer |

None of these protocols work well alone. SPF can be bypassed, DKIM doesn't specify policy, and DMARC needs SPF or DKIM results to act on. Together, they form a complete authentication system.

SPF: Sender Policy Framework

SPF answers the question: "Is this server allowed to send email for this domain?"

How SPF Works

  1. You publish a list of authorized sending IP addresses in your DNS
  2. When someone receives email claiming to be from your domain, they check this list
  3. If the sending server's IP is on the list, SPF passes
  4. If not, SPF fails

What an SPF Record Looks Like

v=spf1 include:_spf.google.com include:amazonses.com -all

This record says:

  • v=spf1 - This is an SPF record
  • include:_spf.google.com - Google's servers can send for us
  • include:amazonses.com - Amazon SES can send for us
  • -all - Reject email from anyone else

SPF Limitations

SPF has weaknesses:

  • Breaks on forwarding: When email is forwarded, the sending IP changes, often failing SPF
  • Only checks envelope sender: SPF checks the "envelope from" (return path), not the "header from" that users see
  • 10 DNS lookup limit: Complex SPF records can exceed this limit and fail

Check your SPF record at spfrecordcheck.com.

DKIM: DomainKeys Identified Mail

DKIM answers the question: "Is this email authentic and unmodified?"

How DKIM Works

  1. Your mail server signs outgoing emails with a private key
  2. The signature is added as a header in the email
  3. Your public key is published in DNS
  4. Receiving servers verify the signature using your public key
  5. If the signature matches, the email is verified

What a DKIM Record Looks Like

selector._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."

The p= value is your public key (a long string of characters).

DKIM Advantages

  • Survives forwarding: Unlike SPF, DKIM signatures travel with the email
  • Verifies content integrity: Any modification to the email breaks the signature
  • Supports multiple services: Each email service gets its own selector and key

DKIM Limitations

  • No policy: DKIM doesn't tell receivers what to do if verification fails
  • No alignment requirement by itself: Without DMARC, the DKIM domain doesn't have to match the From address

DMARC: Domain-based Message Authentication, Reporting & Conformance

DMARC answers the question: "What should I do when authentication fails?"

How DMARC Works

  1. You publish a DMARC policy in DNS
  2. When email arrives, the receiving server checks SPF and DKIM
  3. DMARC verifies "alignment"—the domains in SPF/DKIM must match the From address
  4. If both fail or neither aligns, DMARC applies your policy
  5. Receivers send you reports about authentication results

What a DMARC Record Looks Like

_dmarc.example.com IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

This record says:

  • v=DMARC1 - This is a DMARC record
  • p=reject - Reject emails that fail authentication
  • rua=mailto:dmarc@example.com - Send aggregate reports to this address

DMARC Policies

| Policy | What It Does | When to Use | |--------|--------------|-------------| | p=none | Monitor only, don't affect delivery | Starting out, gathering data | | p=quarantine | Send failing emails to spam | After verifying legitimate sources pass | | p=reject | Block failing emails entirely | Full protection, after thorough testing |

Start with p=none and review reports before moving to quarantine or reject. A misconfigured strict policy can block your own legitimate email.

The Alignment Requirement

DMARC's key innovation is alignment. It's not enough for SPF or DKIM to pass—the authenticated domain must match the From address domain.

Without DMARC: An attacker could send email with their own valid DKIM signature while spoofing your From address.

With DMARC: The DKIM signature domain must match the From address, preventing this attack.

Check your DMARC at dmarcrecordchecker.com.

How They Work Together

Here's what happens when an email arrives:

1

SPF check

Is the sending server's IP authorized for this domain? Record: pass, fail, or none.

2

DKIM check

Does the email have a valid DKIM signature? Record: pass, fail, or none.

3

DMARC alignment

If SPF passed, does the SPF domain align with the From domain? If DKIM passed, does the DKIM domain align with the From domain?

4

DMARC policy

If neither SPF nor DKIM passed with alignment, apply the DMARC policy (none/quarantine/reject).

5

Reporting

Send authentication results to the addresses specified in the DMARC record.

An email passes DMARC if either SPF or DKIM passes with alignment. You don't need both—just one.

Setting Up All Three

Recommended Order

1

Start with SPF

Create an SPF record listing all your sending services. This is the quickest to implement.

2

Add DKIM

Enable DKIM signing in each service that sends email for you. Each service needs its own DNS record.

3

Implement DMARC

Start with p=none to collect reports. Analyze who's sending email as your domain. Then gradually move to quarantine and reject.

Example DNS Records

For a domain using Google Workspace and Mailchimp:

SPF Record:

v=spf1 include:_spf.google.com include:servers.mcsv.net -all

DKIM Records:

google._domainkey.example.com     TXT  "v=DKIM1; k=rsa; p=..."
k1._domainkey.example.com         TXT  "v=DKIM1; k=rsa; p=..."

DMARC Record:

_dmarc.example.com                TXT  "v=DMARC1; p=none; rua=mailto:dmarc@example.com"

Common Questions

Do I need all three?

For best deliverability and security, yes. Major email providers like Google and Yahoo require SPF, DKIM, and DMARC for bulk senders. Even if you're not a bulk sender, having all three improves deliverability.

What if I only have SPF?

Your emails may still be delivered, but:

  • You have no protection against forwarding breaking authentication
  • Attackers can potentially spoof your domain more easily
  • Some receivers may treat your emails with more suspicion

What if I only have DKIM?

You're signing emails, but:

  • There's no policy telling receivers what to do if signing fails
  • Attackers could use their own valid DKIM while spoofing your From address
  • You're missing the SPF layer of authentication

Which one is most important?

They're all important for different reasons:

  • SPF is easiest to set up and widely checked
  • DKIM is most resilient to forwarding
  • DMARC ties them together and provides reporting

If forced to prioritize, start with SPF, then DKIM, then DMARC.

Related Articles

Monitor Your Email Authentication

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss an authentication issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring