DKIM vs SPF: Understanding the Differences
Compare DKIM and SPF email authentication methods. Learn how they work differently, what each protects against, and why you need both.
Last updated: 2026-02-04
DKIM and SPF are both email authentication methods, but they solve different problems. Understanding the distinction helps you configure email security correctly.
Short answer: SPF validates the sending server. DKIM validates the message content. You need both.
Quick Comparison
| Aspect | SPF | DKIM |
|---|---|---|
| What it validates | Sending server IP address | Message content and headers |
| How it works | DNS list of authorized IPs | Cryptographic signature |
| Survives forwarding | No — breaks when forwarded | Yes — signature stays intact |
| Protects against | Unauthorized servers | Message tampering |
| DNS record type | TXT on domain root | TXT on selector._domainkey |
| Failure visibility | Immediate (envelope check) | After message received |
How SPF Works
SPF (Sender Policy Framework) tells receivers which servers can send email for your domain.
example.com TXT "v=spf1 include:_spf.google.com ~all"
When email arrives, the receiving server:
- Extracts the envelope sender domain
- Looks up that domain's SPF record
- Checks if the sending IP is authorized
- Passes or fails based on the result
SPF validates the path, not the message.
How DKIM Works
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each email.
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector;
h=from:to:subject:date; bh=...; b=...
When email arrives, the receiving server:
- Extracts the DKIM-Signature header
- Looks up the public key in DNS
- Verifies the signature against message content
- Passes or fails based on cryptographic verification
DKIM validates the message itself.
The Forwarding Problem
Here's why the distinction matters:
Scenario: Alice sends email to Bob. Bob auto-forwards to Carol.
| Check | Result | Why |
|---|---|---|
| SPF | **Fails** | Bob's server (not Alice's) sends to Carol |
| DKIM | **Passes** | Signature survives forwarding |
SPF breaks on forwarding because the intermediary server isn't authorized for the original domain. DKIM survives because the signature is attached to the message.
What Each Protects Against
SPF Prevents:
- Unauthorized servers sending as your domain
- Basic email spoofing from random IPs
- Compromised servers outside your infrastructure
DKIM Prevents:
- Message modification in transit
- Header tampering (From, Subject, etc.)
- Content changes by intermediate servers
Neither Prevents:
- Display name spoofing ("John Smith" attacker@evil.com)
- Look-alike domains (examp1e.com vs example.com)
- Social engineering attacks
Why You Need Both
Defense in depth
SPF catches unauthorized servers. DKIM catches message tampering. Together they cover more attack vectors.
DMARC requires both
DMARC (the policy layer) checks for SPF OR DKIM alignment. Having both means emails pass even when one fails.
Forwarding resilience
When SPF fails due to forwarding, DKIM keeps the email authenticated. Without DKIM, forwarded emails might be rejected.
Configuration Comparison
SPF Setup
- Identify all servers that send email for your domain
- Create a TXT record listing authorized sources
- Choose a policy (
~allsoft fail,-allhard fail)
@ TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
DKIM Setup
- Generate a key pair (public and private)
- Configure your mail server with the private key
- Publish the public key in DNS
selector._domainkey TXT "v=DKIM1; k=rsa; p=MIIBIj..."
Generate DKIM keys
Create DKIM key pairs for your domain. Browser-based generation for maximum security.
Failure Scenarios
| Scenario | SPF Result | DKIM Result |
|---|---|---|
| Legitimate email, direct delivery | Pass | Pass |
| Legitimate email, forwarded | Fail | Pass |
| Spoofed email, unauthorized server | Fail | Fail (no signature) |
| Spoofed email, authorized server compromised | Pass | Fail (wrong key) |
| Message modified in transit | Pass | Fail |
DMARC: The Policy Layer
DMARC ties SPF and DKIM together with a policy:
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
DMARC passes if:
- SPF passes AND aligns with From domain, OR
- DKIM passes AND aligns with From domain
This is why configuring both SPF and DKIM gives you the best deliverability—if one fails, the other can still pass DMARC.
Common Misconceptions
"SPF is enough" No. SPF breaks on forwarding and doesn't protect message content. Many forwarded emails would fail authentication without DKIM.
"DKIM is enough" No. DKIM doesn't prevent unauthorized servers from attempting to send (unsigned) email. SPF blocks them at the server level.
"They do the same thing" No. They complement each other. SPF validates the sending infrastructure. DKIM validates the message integrity.
Summary
| Question | SPF | DKIM |
|---|---|---|
| Is the sending server authorized? | Yes | No |
| Is the message unmodified? | No | Yes |
| Does it survive forwarding? | No | Yes |
| Requires key management? | No | Yes |
| DNS record location | Domain root | selector._domainkey |
Both SPF and DKIM are essential parts of email authentication. Implement both, add DMARC on top, and your emails will have the best chance of reaching inboxes.
Related Articles
Ready to add DKIM to your email authentication? Generate your keys now.
Generate DKIM keys
Create key pairs for your domain. Works with any mail server or email service.
Generate Keys