DKIM vs DMARC — What's the Difference and Do You Need Both?
Learn the difference between DKIM and DMARC, how they work together, and why using only one leaves gaps in your email security. A practical guide for business owners.
Last updated: 2026-01-28
DKIM and DMARC both protect your domain's email, but they do very different things. DKIM is a signing mechanism — it proves a message is authentic and unaltered. DMARC is a policy layer — it tells receiving servers what to do when authentication fails, and it sends you reports about what is happening. For a broader overview, see what is DMARC.
Mixing them up is easy because they often appear in the same conversations. This guide breaks down what each one does, how they interact, and why you need both.
What DKIM Does on Its Own
DKIM stands for DomainKeys Identified Mail. It works by attaching a cryptographic signature to every outgoing email. Here is the simplified process:
- Your mail server signs each outgoing message using a private key that only you control.
- A corresponding public key is published as a DNS TXT record under a selector subdomain, like
selector1._domainkey.yourdomain.com. - The receiving mail server retrieves that public key and uses it to verify the signature on the incoming message.
If the signature checks out, DKIM passes. If the message content was altered in transit — even a single character — the signature breaks and DKIM fails.
DKIM is valuable because it proves two things: that the message was sent by someone with access to the private key, and that the message was not tampered with between sending and delivery. Unlike SPF, DKIM survives email forwarding because the signature is embedded in the message headers, not tied to the sending server's IP address.
But DKIM has limits. On its own, it does not tell anyone what to do when a signature fails. A message with a broken DKIM signature is just flagged as unsigned — the receiving server might deliver it anyway. There is also no requirement that the DKIM signing domain match the "From" address the recipient sees. You could sign an email with one domain and display a completely different domain in the "From" header, and DKIM alone would not flag that mismatch.
You can generate DKIM keys for your domain at dkimcreator.com.
What DMARC Adds
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. Where DKIM is an authentication mechanism, DMARC is a policy and reporting framework built on top of authentication.
DMARC does three things that DKIM cannot do alone:
It enforces alignment. DMARC checks whether the domain used in the DKIM signature (the d= tag) matches the domain in the visible "From" header. This is called DKIM alignment. Without it, a spammer could sign messages with their own DKIM key on their own domain while impersonating your address in the "From" field. The DKIM check would pass — it was validly signed — but the recipient still sees your domain. DMARC catches this because the signing domain does not align with the "From" domain.
It provides a policy. You publish a DMARC record that tells receiving servers how to handle messages that fail authentication: deliver them anyway (p=none), send them to spam (p=quarantine), or block them entirely (p=reject). Without DMARC, there is no standardized way to tell the world "block emails that fail DKIM if they claim to come from my domain."
It sends reports. When you include a rua address in your DMARC record, mail providers send you aggregate reports showing every source that tried to send email as your domain. You can see which messages passed DKIM, which failed, and which IP addresses were responsible. This visibility is essential for finding misconfigured services, rogue senders, and active spoofing campaigns.
How DKIM Alignment Works in DMARC
DMARC alignment is the key concept that connects these two protocols. When a message arrives and the receiving server evaluates DMARC, it checks:
- Did DKIM pass? (Is the signature valid?)
- Does the DKIM signing domain (
d=value) match the domain in the "From" header?
If both answers are yes, DMARC passes on the DKIM side. This is what makes DMARC effective against spoofing. It is not enough for a message to be signed — it must be signed by the right domain.
DMARC supports two alignment modes for DKIM:
- Relaxed alignment (default): The organizational domains must match. So a message from
news@marketing.yourdomain.comsigned withd=yourdomain.compasses because the root domains match. - Strict alignment: The exact domains must match. A message from
yourdomain.commust be signed withd=yourdomain.com, not a subdomain.
Most organizations use relaxed alignment because it accommodates common setups where subdomains send email signed by the parent domain.
DMARC passes if either SPF or DKIM passes with alignment. Having both configured gives you a safety net — if DKIM fails for any reason, SPF alignment can still save the message (and vice versa).
Side-by-Side Comparison
| Feature | DKIM | DMARC |
|---|---|---|
| Purpose | Message authentication and integrity | Policy enforcement, alignment, and reporting |
| What it checks | Cryptographic signature on the message | Whether SPF/DKIM passes and aligns with From header |
| DNS record location | selector._domainkey.domain.com | _dmarc.domain.com |
| Provides a policy | No | Yes (none, quarantine, reject) |
| Sends reports | No | Yes (aggregate and forensic) |
| Survives forwarding | Yes | Yes (when DKIM passes) |
| Prevents From header spoofing | No | Yes (via alignment) |
| Works alone | Partially — no enforcement | No — requires SPF or DKIM |
Why DKIM Without DMARC Leaves Gaps
If you set up DKIM but skip DMARC, you have authentication without enforcement. Here is what that means in practice:
No policy for failed messages. When DKIM fails on a message sent as your domain, the receiving server decides on its own what to do. Some will deliver it anyway. You have no say in the matter.
No alignment requirement. A bad actor can sign messages with their own DKIM keys and put your domain in the "From" header. DKIM passes because their signature is valid, but the recipient sees your domain. Without DMARC's alignment check, nothing catches this.
No visibility. You have no idea who is trying to send email as your domain, whether your legitimate messages are passing DKIM, or whether anyone is spoofing you. DMARC reports are the only standardized way to get this data.
Why DMARC Without DKIM Is Fragile
DMARC works with either SPF or DKIM, so technically you can have DMARC without DKIM. But this makes your setup fragile for one major reason: SPF breaks when email is forwarded.
When someone forwards your email — whether through a mailing list, an office redirect, or a personal forwarding rule — the forwarding server's IP address is not in your SPF record. SPF fails. If DKIM is not there to provide a passing check, DMARC fails too. Your legitimate forwarded email gets quarantined or rejected, depending on your policy.
DKIM survives forwarding because the signature travels with the message. It does not depend on which server is relaying the email. That makes DKIM the more reliable leg of the two authentication methods under DMARC.
Running DMARC with only SPF (no DKIM) means any forwarded email from your domain will likely fail DMARC. This can silently break mail delivery for recipients who use forwarding rules.
The Bottom Line
DKIM authenticates individual messages. DMARC tells the world what to do when authentication fails and gives you reports about it. Neither one fully protects your domain on its own.
Set up DKIM first to get message-level authentication in place. Then publish a DMARC record to add enforcement, alignment, and reporting — our guide on how to create a DMARC record walks you through the process. Start with p=none to collect reports, and move to quarantine and reject as you gain confidence in your setup. If you manage your own mail server, our DMARC for self-hosted email page covers the specifics.
You can generate DKIM keys at dkimcreator.com and verify your DMARC record at dmarcrecordchecker.com.
Related Articles
Monitor Your Email Authentication
You've set up your email authentication — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DMARC issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring