SPF vs DKIM vs DMARC: Email Authentication Compared
A clear comparison of SPF, DKIM, and DMARC — what each does, how they work together, and which to implement first.
SPF, DKIM, and DMARC are the three pillars of email authentication. Each solves a different problem, and you need all three for proper email security. But they are not interchangeable — they work at different layers, catch different attacks, and fail in different ways.
Here is how they compare.
The Comparison
| Feature | SPF | DKIM | DMARC |
|---|---|---|---|
| What it checks | Sending server IP | Message signature | Alignment of both |
| Published as | DNS TXT record | DNS TXT record | DNS TXT record |
| Protects against | Unauthorized servers | Message tampering | Domain spoofing |
| Survives forwarding | No | Yes | Depends on alignment |
| Implementation effort | Low | Medium | Medium |
| Requires the others | No | No | Yes (SPF or DKIM) |
| Start here | Yes | Second | Third |
How SPF Works
SPF (Sender Policy Framework) lets you declare which mail servers are authorized to send email on behalf of your domain. You publish a TXT record listing IP addresses and include references, and receiving servers check the sending IP against that list. You can generate one quickly with SPF Creator or verify an existing record with SPF Record Check.
v=spf1 include:_spf.google.com include:sendgrid.net -all
When a server receives an email claiming to be from your domain, it looks up your SPF record and checks whether the sending server's IP is authorized. If it is not, the message fails SPF.
SPF checks the envelope sender (Return-Path), not the From header that users see. This distinction matters for DMARC alignment.
When SPF Fails
SPF breaks when email is forwarded. If someone at company.com forwards your email to their personal inbox, the forwarding server's IP is not in your SPF record. The message fails SPF at the final destination. This is the single biggest limitation of SPF on its own.
How DKIM Works
DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to each outgoing message. The sending server signs parts of the message with a private key, and the receiving server verifies the signature using a public key published in DNS. You can generate your DKIM keys with DKIM Creator.
selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGf..."
Because the signature travels with the message, DKIM survives forwarding. As long as the signed headers and body are not modified in transit, the signature remains valid regardless of which server delivers it.
When DKIM Fails
DKIM fails when intermediary servers modify the message — adding footers, rewriting URLs, or changing headers. Mailing list software is a common culprit. Some lists strip or break DKIM signatures by altering the message body.
How DMARC Works
DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together. It checks that at least one of them passes and aligns with the From header domain that the recipient sees.
v=DMARC1; p=reject; rua=mailto:dmarc@example.com
DMARC adds two things that SPF and DKIM lack on their own: a policy telling receivers what to do with failures (none, quarantine, or reject), and a reporting mechanism that sends you data about authentication results. You can set up your DMARC policy with DMARC Creator.
Monitor all three protocols
Track your SPF, DKIM, and DMARC records daily. Get alerts when authentication breaks.
How They Work Together
Think of it as layers:
- SPF verifies the sending server is authorized (IP-based check)
- DKIM verifies the message has not been tampered with (signature-based check)
- DMARC verifies that at least one of the above aligns with the visible From domain, and tells receivers what to do on failure
A message can pass SPF but fail DKIM, or pass DKIM but fail SPF. DMARC only requires one to pass with alignment. This is what makes the combination resilient — DKIM covers the forwarding gap that SPF cannot handle, and SPF provides a check even when DKIM signatures break.
Alignment Explained
Alignment is the concept that makes DMARC more than just "check SPF and DKIM." It means the domain in the From header must match the domain used in the SPF or DKIM check.
- SPF alignment: The Return-Path domain matches the From header domain
- DKIM alignment: The
d=domain in the DKIM signature matches the From header domain
Without alignment, an attacker could set up valid SPF and DKIM for their own domain while spoofing yours in the From header. DMARC closes that gap.
Many third-party senders (marketing tools, CRMs) send with their own Return-Path domain. This breaks SPF alignment. Make sure your providers support custom Return-Path domains or DKIM signing with your domain.
Which to Implement First
Start with SPF
SPF is the easiest to implement. You create a single DNS TXT record listing your authorized senders. No key generation, no server configuration changes. Most domains can have a working SPF record in under five minutes.
Add DKIM
DKIM requires generating a key pair and configuring your mail server or provider to sign outgoing messages. Most email providers (Google Workspace, Microsoft 365, SendGrid) handle signing for you — you just need to publish the public key in DNS.
Deploy DMARC
Once SPF and DKIM are in place, publish a DMARC record starting with p=none to collect reports without affecting delivery. Monitor the reports, fix any authentication gaps, then gradually move to p=quarantine and finally p=reject.
Do not skip to DMARC enforcement
Publishing a DMARC reject policy before SPF and DKIM are properly configured will cause legitimate email to be rejected. Always start with p=none and use the reporting data to verify your setup.
Bottom Line
SPF, DKIM, and DMARC are not competing standards — they are complementary layers. SPF is the foundation because it is the fastest to deploy and immediately tells receivers which servers you authorize. DKIM adds message integrity that survives forwarding. DMARC ties them together with alignment checks and gives you visibility through reports.
Start with SPF. It takes minutes, not hours.
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring