SPF vs DKIM vs DMARC: What's the Difference?

SPF vs DKIM vs DMARC Comparison

SPF, DKIM, and DMARC are three email authentication protocols that work together to protect your domain from spoofing and improve email deliverability. While they're often mentioned together, each serves a distinct purpose.

This guide explains what each protocol does, how they differ, and why you need all three for complete email security.

Quick Comparison

Protocol What It Checks Purpose Published As
SPF Sending server IP Authorize who can send TXT record at domain
DKIM Cryptographic signature Verify message integrity TXT record at selector._domainkey.domain
DMARC SPF/DKIM alignment with From header Policy enforcement & reporting TXT record at _dmarc.domain

SPF: Who Can Send

SPF (Sender Policy Framework) answers the question: "Is this server authorized to send email for this domain?"

How SPF Works

  • You publish a list of authorized IP addresses/servers in DNS
  • Receiving servers check if the sending IP is on your list
  • If yes, SPF passes. If no, SPF fails.

SPF Strengths

  • Simple to implement
  • Verifies sending server authorization
  • Works at the server/IP level

SPF Weaknesses

  • Only checks envelope sender (MAIL FROM), not visible From header
  • Breaks when emails are forwarded
  • Limited to 10 DNS lookups
  • Doesn't verify message content

DKIM: Message Authenticity

DKIM (DomainKeys Identified Mail) answers the question: "Is this email really from who it claims to be, and has it been tampered with?"

How DKIM Works

  • Sending server creates a cryptographic signature of the email
  • Signature is added to the email header
  • Receiving server retrieves your public key from DNS
  • It verifies the signature matches the email content

DKIM Strengths

  • Proves message hasn't been modified
  • Works even when email is forwarded
  • Provides cryptographic verification
  • Supports multiple keys via selectors

DKIM Weaknesses

  • Doesn't verify the signing domain matches the From header
  • Can break when content is modified (mailing lists)
  • Requires key management
  • More complex to set up than SPF

DMARC: Policy and Alignment

DMARC (Domain-based Message Authentication, Reporting, and Conformance) answers the question: "What should happen when authentication fails, and does the authenticated domain match what users see?"

How DMARC Works

  • Checks if SPF or DKIM passed
  • Verifies the authenticated domain aligns with the visible From header
  • Applies your policy (none, quarantine, reject) to failing emails
  • Sends you reports about authentication results

DMARC Strengths

  • Closes the alignment gap left by SPF and DKIM
  • Provides actionable policies for failures
  • Generates reports showing who's sending as your domain
  • The only protocol that protects the visible From address

DMARC Weaknesses

  • Depends on SPF and DKIM being configured
  • Can block legitimate email if implemented too aggressively
  • Reports require processing and analysis

Why You Need All Three

Each protocol addresses different vulnerabilities. Using only one or two leaves gaps:

SPF Only

Attackers can still spoof your domain because SPF doesn't check the visible From header. They can also modify email content without detection.

DKIM Only

Attackers can sign emails with their own domain while spoofing yours in the From header. There's no policy for what to do with failures.

SPF + DKIM (No DMARC)

Still leaves the alignment gap. Attackers can pass both checks with their own domain while displaying yours to users. No reporting visibility.

All Three Together

  • SPF verifies the sending server is authorized
  • DKIM verifies the message is authentic and unmodified
  • DMARC ensures the authenticated domain matches what users see
  • DMARC enforces policy and provides visibility through reports

The Authentication Flow

Here's what happens when email arrives at a receiving server:

  1. SPF Check: Is the sending IP authorized for the envelope sender domain?
  2. DKIM Check: Does the signature verify against the public key?
  3. DMARC Alignment Check: Does either the SPF domain or DKIM signing domain match the From header domain?
  4. DMARC Policy: Based on pass/fail, deliver normally, quarantine, or reject

For DMARC to pass, at least one of the following must be true:

  • SPF passes AND the SPF domain aligns with the From header
  • DKIM passes AND the DKIM signing domain aligns with the From header

Implementation Order

We recommend implementing in this order:

  1. SPF First
    • Simplest to implement
    • Immediate deliverability benefits
    • Lists all your sending sources
  2. DKIM Second
    • Enable for each email service
    • Add DNS records for each selector
    • Test to confirm signatures validate
  3. DMARC Third
    • Start with p=none to monitor
    • Review reports to identify issues
    • Gradually increase enforcement

Record Examples

SPF Record

Published at: yourdomain.com (TXT record)

v=spf1 include:_spf.google.com include:servers.mcsv.net -all

DKIM Record

Published at: selector._domainkey.yourdomain.com (TXT record)

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB...

DMARC Record

Published at: _dmarc.yourdomain.com (TXT record)

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

Common Questions

Do I need both SPF and DKIM for DMARC?

Technically, DMARC only requires one to pass and align. However, implementing both provides redundancy and better protection. Some situations (like forwarding) break SPF but not DKIM.

Which is most important?

DMARC provides the most comprehensive protection, but it requires SPF or DKIM to function. All three working together is the goal.

What if I can only implement one?

Start with SPF—it's the simplest and provides immediate benefits. Then add DKIM, then DMARC.

Do email providers check all three?

Major providers (Gmail, Microsoft, Yahoo) check all three. Google and Yahoo now require all three for bulk senders (5,000+ daily emails).

Summary

Protocol Question It Answers Required For
SPF Is this server allowed to send for this domain? Basic deliverability, DMARC alignment option
DKIM Is this message authentic and unmodified? Message verification, DMARC alignment option
DMARC Does authentication match what users see? What happens on failure? Complete protection, visibility, compliance

For complete implementation guidance, see our Email Authentication Complete Guide.

0 comments

Leave a comment

Please note, comments need to be approved before they are published.