SPF vs DKIM: What's the Difference?
SPF and DKIM both authenticate email, but they work differently. Learn what each protects against, how they handle forwarding, and why you need both.
SPF and DKIM are both email authentication standards, but they solve different problems in different ways. SPF checks where the email came from. DKIM checks whether the email was altered in transit. Neither one is a replacement for the other.
Here is how they differ and why you need both.
The Comparison
| Feature | SPF | DKIM |
|---|---|---|
| Authentication method | IP address of sending server | Cryptographic signature on message |
| What you publish in DNS | List of authorized IPs/includes | Public key for signature verification |
| What it protects against | Unauthorized servers sending as you | Message tampering after sending |
| Survives email forwarding | No | Yes (usually) |
| Setup complexity | Low — one DNS TXT record | Medium — key generation + DNS record |
| DNS lookups required | Up to 10 per check | 1-2 per check |
| Checks which identity | Envelope sender (Return-Path) | Signing domain (d= tag) |
How SPF Works
SPF lets you declare which servers are allowed to send email for your domain. You publish a DNS TXT record that lists authorized IP addresses and references to other SPF records. You can build one in seconds with SPF Creator or verify an existing record with SPF Record Check.
v=spf1 ip4:203.0.113.5 include:_spf.google.com -all
When a receiving server gets a message claiming to be from your domain, it checks the sending server's IP against your SPF record. If the IP is listed (directly or through an include), SPF passes. If not, it fails.
SPF is straightforward to implement. You identify your sending sources, list them in a single DNS record, and you are done. No server configuration changes, no key management.
SPF checks the envelope sender (Return-Path address), not the From header that users see in their inbox. This is an important distinction for DMARC alignment.
How DKIM Works
DKIM works differently. Instead of checking the sending server, it verifies the message itself. Your mail server signs each outgoing message with a private key, attaching the signature as a header. The receiving server retrieves your public key from DNS and verifies the signature.
selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."
The signature covers specific headers and the message body. If anything covered by the signature changes after sending, verification fails. This means DKIM can detect tampering — something SPF cannot do.
Key Generation and Management
DKIM requires generating an RSA or Ed25519 key pair. The private key stays on your mail server; the public key goes into DNS. Most email providers handle key generation and signing for you, but you still need to publish the DNS record and potentially rotate keys periodically. DKIM Creator can generate the key pair and DNS record for you.
Forwarding: The Critical Difference
This is where the two standards diverge most significantly.
SPF breaks on forwarding. When someone forwards your email, the forwarding server's IP is not in your SPF record. The final receiving server sees an unauthorized IP and SPF fails. This is not a bug — it is a fundamental limitation of IP-based authentication.
DKIM survives forwarding. The signature travels with the message. As long as the forwarding server does not modify the signed content, DKIM still passes at the final destination. The IP of the delivering server is irrelevant to DKIM.
DKIM does not always survive forwarding. Mailing lists that modify message bodies, add footers, or rewrite subject lines will break DKIM signatures. But for simple forwarding (one mailbox to another), DKIM holds up.
Monitor your SPF and DKIM
Track your SPF and DKIM records daily and get alerts when authentication breaks.
What Each Protects Against
SPF prevents unauthorized servers from sending as your domain. If an attacker tries to send email from their own server using your domain in the envelope sender, SPF will catch it. This stops the most common form of email spoofing.
DKIM prevents message modification. If someone intercepts a message in transit and changes the body or key headers, the DKIM signature will not verify. It also proves that your domain was genuinely involved in sending the message, since only your server has the private key.
Neither one alone stops all forms of spoofing. An attacker could:
- Pass SPF by sending through a server you have authorized (compromised account)
- Pass DKIM by signing with their own domain while spoofing your From header
This is exactly why DMARC exists — to check that SPF or DKIM aligns with the visible From domain. You can set up a DMARC policy with DMARC Creator.
Do You Need Both?
Yes. Here is why:
- SPF alone fails on forwarded email. A significant portion of legitimate email gets forwarded. Without DKIM, those forwarded messages have no authentication.
- DKIM alone does not restrict sending servers. DKIM proves a message was signed by your domain, but without SPF, anyone can attempt to send from any server.
- DMARC requires at least one. DMARC checks that SPF or DKIM passes with alignment. Having both gives you redundancy — if one fails (forwarding breaks SPF, mailing lists break DKIM), the other can still provide a passing result.
Implementation order matters
Start with SPF because it is the fastest to deploy — a single DNS record with no server changes. Then add DKIM through your email provider. Finally, layer DMARC on top to enforce alignment and get reporting.
Implementation Complexity
SPF is a single DNS TXT record. You list your sending IPs and include references to your providers' SPF records. The main challenge is knowing all your authorized senders and staying within the 10 DNS lookup limit.
DKIM requires more moving parts. You need to generate keys, configure your sending server or provider to sign messages, publish the public key in DNS, and eventually rotate keys. Most modern email providers simplify this significantly — Google Workspace, Microsoft 365, and major sending services handle signing automatically. You just add the DNS records they provide.
For most organizations, SPF takes five minutes and DKIM takes fifteen to thirty minutes, depending on how many sending services you use.
Bottom Line
SPF and DKIM are not an either/or choice. SPF verifies the sending server. DKIM verifies the message integrity. Together with DMARC, they form a complete authentication framework. Start with SPF because it is the quickest win, add DKIM for forwarding resilience and message integrity, then deploy DMARC to tie them together.
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring