How SPF, DKIM and DMARC Work Together

How SPF DKIM and DMARC Work Together

Understanding how SPF, DKIM, and DMARC work together is essential for implementing complete email authentication. This guide explains the authentication flow and how each protocol contributes to email security.

The Email Authentication Chain

When an email arrives at a receiving server, three separate checks happen:

  1. SPF Check: Is the sending server authorized?
  2. DKIM Check: Is the signature valid?
  3. DMARC Check: Do the results align with the visible sender, and what should happen?

Step-by-Step Authentication Flow

1. Email is Sent

Your email server sends a message. Before sending:

  • The server signs the message with DKIM (using your private key)
  • The server is identified by its IP address (checked against SPF)

2. SPF Verification

The receiving server:

  1. Extracts the domain from the MAIL FROM (envelope sender) address
  2. Queries DNS for the SPF record of that domain
  3. Compares the sending server's IP against authorized IPs
  4. Records result: Pass, Fail, SoftFail, Neutral, or PermError

3. DKIM Verification

The receiving server:

  1. Finds the DKIM-Signature header in the email
  2. Extracts the signing domain and selector
  3. Retrieves the public key from DNS (selector._domainkey.domain.com)
  4. Verifies the signature against the email content
  5. Records result: Pass or Fail

4. DMARC Alignment Check

This is where DMARC adds critical value. The server:

  1. Looks at the domain in the visible From header
  2. Checks if SPF passed AND the SPF domain matches/aligns with From
  3. Checks if DKIM passed AND the DKIM domain matches/aligns with From
  4. At least ONE must align for DMARC to pass

5. Policy Application

Based on DMARC result and your policy:

  • DMARC Pass: Email is delivered normally
  • DMARC Fail + p=none: Delivered, but recorded in reports
  • DMARC Fail + p=quarantine: Sent to spam/junk folder
  • DMARC Fail + p=reject: Email is blocked

6. Reporting

The receiving server sends aggregate reports to the address in your DMARC record, detailing all authentication results.

Understanding Alignment

Alignment is DMARC's key contribution. It ensures the authenticated domain matches what users see.

SPF Alignment

  • Compares the SPF-authenticated domain (MAIL FROM) with the From header domain
  • Relaxed mode: Organizational domains must match (subdomain OK)
  • Strict mode: Exact domain match required

DKIM Alignment

  • Compares the DKIM signing domain (d= tag) with the From header domain
  • Relaxed mode: Organizational domains must match
  • Strict mode: Exact domain match required

Example Scenarios

From: user@company.com

Authenticated Domain Relaxed Alignment Strict Alignment
company.com ✅ Pass ✅ Pass
mail.company.com ✅ Pass ❌ Fail
other-company.com ❌ Fail ❌ Fail

Why All Three Are Needed

SPF Alone

  • Only checks envelope sender, not visible From
  • Breaks when email is forwarded
  • Attacker can use their domain for envelope while spoofing From

DKIM Alone

  • Proves message authenticity and integrity
  • But attacker can sign with their own domain while spoofing From
  • No policy for what happens on failure

DMARC Completes the Picture

  • Requires authenticated domain to match visible From
  • Provides policy for handling failures
  • Delivers reports for visibility and monitoring

Common Authentication Patterns

Direct Send (Your Own Server)

SPF: ✅ Your IP is authorized
DKIM: ✅ Signed with your key
DMARC: ✅ Both align with From domain

Email Service Provider (Properly Configured)

SPF: ✅ ESP's IP in your SPF include
DKIM: ✅ ESP signs with your domain (custom authentication)
DMARC: ✅ At least one aligns

Email Service (Default Configuration)

SPF: ✅ ESP's IP authorized for ESP's domain
DKIM: ✅ ESP signs with ESP's domain
DMARC: ❌ Neither aligns with YOUR From domain

Solution: Enable custom domain authentication in the ESP.

Forwarded Email

SPF: ❌ Forwarding server not in original SPF
DKIM: ✅ (Usually) Original signature intact
DMARC: ✅ DKIM alignment saves the day

This is why DKIM is critical—it survives forwarding.

Configuring for Success

Implementation Order

  1. SPF First: List all authorized sending sources
  2. DKIM Second: Enable signing for each service
  3. DMARC Third: Start with p=none, monitor, then enforce

For Each Email Service

  • Add their include to your SPF record
  • Enable DKIM signing with their provided keys
  • Enable custom domain authentication (critical for DMARC alignment)

DMARC Record Best Practices

  • Start with relaxed alignment (default)
  • Begin with p=none to monitor
  • Set up aggregate reporting
  • Review reports before increasing enforcement

Troubleshooting Integration Issues

SPF Passes, DKIM Passes, DMARC Fails

This means neither authenticated domain aligns with From. Common causes:

  • Email service using their domain instead of yours
  • Custom domain authentication not configured
  • Mismatched From address and signing domain

SPF Fails, DKIM Passes, DMARC Passes

This is OK—only one alignment is needed. But you should still fix SPF for redundancy.

Everything Fails

  • Verify DNS records are published correctly
  • Check for typos in selectors or includes
  • Ensure the sending service is actually configured

Monitoring the Integration

DMARC reports show how all three protocols interact:

  • SPF result and alignment status
  • DKIM result and alignment status
  • Overall DMARC disposition
  • Sending IP and volume

Use these reports to identify:

  • Services needing configuration
  • Unauthorized sending attempts
  • Alignment problems to fix

Summary

The three protocols form a complete system:

Protocol Role Limitation Solved By
SPF Authorize servers DKIM (for forwarding)
DKIM Verify authenticity DMARC (for alignment)
DMARC Enforce alignment + policy Depends on SPF and DKIM

Together, they ensure emails are from authorized servers, haven't been tampered with, and are legitimately claiming to be from your domain.

For setup instructions, see our guides on SPF setup, DKIM setup, and DMARC setup.

0 comments

Leave a comment

Please note, comments need to be approved before they are published.