Understanding how SPF, DKIM, and DMARC work together is essential for implementing complete email authentication. This guide explains the authentication flow and how each protocol contributes to email security.
The Email Authentication Chain
When an email arrives at a receiving server, three separate checks happen:
- SPF Check: Is the sending server authorized?
- DKIM Check: Is the signature valid?
- DMARC Check: Do the results align with the visible sender, and what should happen?
Step-by-Step Authentication Flow
1. Email is Sent
Your email server sends a message. Before sending:
- The server signs the message with DKIM (using your private key)
- The server is identified by its IP address (checked against SPF)
2. SPF Verification
The receiving server:
- Extracts the domain from the MAIL FROM (envelope sender) address
- Queries DNS for the SPF record of that domain
- Compares the sending server's IP against authorized IPs
- Records result: Pass, Fail, SoftFail, Neutral, or PermError
3. DKIM Verification
The receiving server:
- Finds the DKIM-Signature header in the email
- Extracts the signing domain and selector
- Retrieves the public key from DNS (selector._domainkey.domain.com)
- Verifies the signature against the email content
- Records result: Pass or Fail
4. DMARC Alignment Check
This is where DMARC adds critical value. The server:
- Looks at the domain in the visible From header
- Checks if SPF passed AND the SPF domain matches/aligns with From
- Checks if DKIM passed AND the DKIM domain matches/aligns with From
- At least ONE must align for DMARC to pass
5. Policy Application
Based on DMARC result and your policy:
- DMARC Pass: Email is delivered normally
- DMARC Fail + p=none: Delivered, but recorded in reports
- DMARC Fail + p=quarantine: Sent to spam/junk folder
- DMARC Fail + p=reject: Email is blocked
6. Reporting
The receiving server sends aggregate reports to the address in your DMARC record, detailing all authentication results.
Understanding Alignment
Alignment is DMARC's key contribution. It ensures the authenticated domain matches what users see.
SPF Alignment
- Compares the SPF-authenticated domain (MAIL FROM) with the From header domain
- Relaxed mode: Organizational domains must match (subdomain OK)
- Strict mode: Exact domain match required
DKIM Alignment
- Compares the DKIM signing domain (d= tag) with the From header domain
- Relaxed mode: Organizational domains must match
- Strict mode: Exact domain match required
Example Scenarios
From: user@company.com
| Authenticated Domain | Relaxed Alignment | Strict Alignment |
|---|---|---|
| company.com | ✅ Pass | ✅ Pass |
| mail.company.com | ✅ Pass | ❌ Fail |
| other-company.com | ❌ Fail | ❌ Fail |
Why All Three Are Needed
SPF Alone
- Only checks envelope sender, not visible From
- Breaks when email is forwarded
- Attacker can use their domain for envelope while spoofing From
DKIM Alone
- Proves message authenticity and integrity
- But attacker can sign with their own domain while spoofing From
- No policy for what happens on failure
DMARC Completes the Picture
- Requires authenticated domain to match visible From
- Provides policy for handling failures
- Delivers reports for visibility and monitoring
Common Authentication Patterns
Direct Send (Your Own Server)
SPF: ✅ Your IP is authorized DKIM: ✅ Signed with your key DMARC: ✅ Both align with From domain
Email Service Provider (Properly Configured)
SPF: ✅ ESP's IP in your SPF include DKIM: ✅ ESP signs with your domain (custom authentication) DMARC: ✅ At least one aligns
Email Service (Default Configuration)
SPF: ✅ ESP's IP authorized for ESP's domain DKIM: ✅ ESP signs with ESP's domain DMARC: ❌ Neither aligns with YOUR From domain
Solution: Enable custom domain authentication in the ESP.
Forwarded Email
SPF: ❌ Forwarding server not in original SPF DKIM: ✅ (Usually) Original signature intact DMARC: ✅ DKIM alignment saves the day
This is why DKIM is critical—it survives forwarding.
Configuring for Success
Implementation Order
- SPF First: List all authorized sending sources
- DKIM Second: Enable signing for each service
- DMARC Third: Start with p=none, monitor, then enforce
For Each Email Service
- Add their include to your SPF record
- Enable DKIM signing with their provided keys
- Enable custom domain authentication (critical for DMARC alignment)
DMARC Record Best Practices
- Start with relaxed alignment (default)
- Begin with p=none to monitor
- Set up aggregate reporting
- Review reports before increasing enforcement
Troubleshooting Integration Issues
SPF Passes, DKIM Passes, DMARC Fails
This means neither authenticated domain aligns with From. Common causes:
- Email service using their domain instead of yours
- Custom domain authentication not configured
- Mismatched From address and signing domain
SPF Fails, DKIM Passes, DMARC Passes
This is OK—only one alignment is needed. But you should still fix SPF for redundancy.
Everything Fails
- Verify DNS records are published correctly
- Check for typos in selectors or includes
- Ensure the sending service is actually configured
Monitoring the Integration
DMARC reports show how all three protocols interact:
- SPF result and alignment status
- DKIM result and alignment status
- Overall DMARC disposition
- Sending IP and volume
Use these reports to identify:
- Services needing configuration
- Unauthorized sending attempts
- Alignment problems to fix
Summary
The three protocols form a complete system:
| Protocol | Role | Limitation Solved By |
|---|---|---|
| SPF | Authorize servers | DKIM (for forwarding) |
| DKIM | Verify authenticity | DMARC (for alignment) |
| DMARC | Enforce alignment + policy | Depends on SPF and DKIM |
Together, they ensure emails are from authorized servers, haven't been tampered with, and are legitimately claiming to be from your domain.
For setup instructions, see our guides on SPF setup, DKIM setup, and DMARC setup.
0 comments