SPF vs DKIM vs DMARC: Email Authentication Compared
Understand the differences between SPF, DKIM, and DMARC. Learn what each protocol does and why you need all three for complete email authentication.
Last updated: 2026-02-04
SPF, DKIM, and DMARC are three complementary email authentication protocols. Each solves a different problem, and you need all three for complete protection.
Quick Comparison
| Protocol | What It Does | Protects Against |
|---|---|---|
| SPF | Lists which servers can send email for your domain | Unauthorized senders using your domain |
| DKIM | Cryptographically signs emails to prove they weren't altered | Message tampering and forgery |
| DMARC | Tells receivers what to do when SPF/DKIM fail + sends reports | Spoofing, with enforcement and visibility |
SPF (Sender Policy Framework)
SPF is a DNS TXT record that lists the IP addresses and servers allowed to send email for your domain.
How it works:
- You publish an SPF record listing your mail servers
- Receiving servers check if the sending IP matches your SPF record
- If it doesn't match, the email fails SPF
Example SPF record:
v=spf1 include:_spf.google.com ~all
Strengths:
- Easy to implement
- Validates the sending server
Weaknesses:
- Doesn't verify message content
- Breaks when emails are forwarded
- Only checks the envelope sender, not the From header
SPF checks the "envelope sender" (MAIL FROM), which is different from the "From" header that users see. Attackers can pass SPF while still spoofing the visible From address.
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to emails, proving they came from your domain and weren't modified.
How it works:
- Your mail server signs each email with a private key
- The public key is published in DNS
- Receiving servers verify the signature using your public key
- If the signature is valid, the email passes DKIM
Example DKIM DNS record:
v=DKIM1; k=rsa; p=MIIBIjANBgkq...
Strengths:
- Cryptographic proof of message integrity
- Survives some forwarding scenarios
- Verifies the domain in the d= tag
Weaknesses:
- More complex to set up (requires key management)
- Mailing lists can break signatures by modifying content
- Doesn't specify what to do when verification fails
Generate DKIM keys
Create secure key pairs for your domain in seconds.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC builds on SPF and DKIM by adding policy enforcement and reporting.
How it works:
- You publish a DMARC policy specifying what to do when authentication fails
- DMARC checks that either SPF or DKIM passes AND aligns with the From header
- Receiving servers follow your policy (none/quarantine/reject)
- You receive reports about authentication results
Example DMARC record:
v=DMARC1; p=reject; rua=mailto:reports@example.com
Strengths:
- Enforces authentication with clear policies
- Provides visibility through aggregate reports
- Addresses the alignment problem (From header vs envelope)
Weaknesses:
- Requires SPF and/or DKIM to be set up first
- Can cause legitimate emails to be rejected if misconfigured
- Doesn't work well with indirect mail flows
How They Work Together
Think of email authentication as layers:
| Layer | Protocol | Role |
|---|---|---|
| 1 | SPF | "Who's allowed to send?" |
| 2 | DKIM | "Is this message genuine?" |
| 3 | DMARC | "What do we do about failures?" |
DMARC alignment is key. For an email to pass DMARC:
- SPF alignment: The envelope sender domain matches the From header domain
- DKIM alignment: The d= domain in the DKIM signature matches the From header domain
At least one must pass and align.
When Each Fails
| Scenario | SPF | DKIM | DMARC |
|---|---|---|---|
| Email forwarded | Fails | Usually passes | Depends on alignment |
| Mailing list modifies body | Passes | Fails | Depends on alignment |
| Spoofed From header | May pass | May pass | Catches this |
| Unauthorized server | Fails | No signature | Fails |
Implementation Order
Start with SPF
Create an SPF record listing your mail servers. This is the quickest to implement.
Add DKIM
Generate DKIM keys and configure your mail server to sign outgoing emails. Add the public key to DNS.
Deploy DMARC (monitoring)
Start with p=none to collect reports without affecting delivery. Review the reports.
Enforce DMARC
Once you're confident in your setup, move to p=quarantine, then p=reject.
Don't skip to p=reject without monitoring first. Misconfigurations can cause legitimate emails to be rejected.
Summary
| Question | Answer |
|---|---|
| Do I need all three? | Yes, for complete protection |
| Which is most important? | DMARC (it coordinates the others) |
| Easiest to set up? | SPF |
| Best for message integrity? | DKIM |
| Provides visibility? | DMARC (reports) |
Related Articles
DKIM Creator helps you implement the DKIM layer of your email authentication.
Set up DKIM now
Generate secure DKIM keys for your domain. The second step in complete email authentication.
Generate DKIM Keys