SPF vs DKIM vs DMARC — What Each Does and Why You Need All Three
Understand the differences between SPF, DKIM, and DMARC. Learn what each protocol does, how they work together, and why all three are essential for email security.
Last updated: 2026-01-28
If you have looked into email authentication, you have probably run into three acronyms: SPF, DKIM, and DMARC. They sound interchangeable, but they are not. Each one solves a different piece of the email security puzzle, and leaving any one of them out creates a gap that attackers and spam filters can exploit.
This guide explains what each protocol does in plain language, shows you how they work together, and clears up the most common misconceptions. If you are new to email authentication, our complete email authentication guide is a good companion to this comparison.
What SPF Does
SPF stands for Sender Policy Framework. It is a DNS record that lists the IP addresses and servers authorized to send email on behalf of your domain.
When a receiving mail server gets a message claiming to be from yourcompany.com, it checks your SPF record to see if the sending server's IP address is on the approved list. If the IP is listed, SPF passes. If it is not, SPF fails.
Here is what SPF does well:
- It verifies that the sending server is authorized by your domain
- It is relatively simple to set up — one TXT record in your DNS
- It catches messages sent from unauthorized servers
And here is what SPF does not do:
- It does not check the "From" header that your recipients actually see. SPF checks the envelope sender (the Return-Path), which is a behind-the-scenes address most people never look at.
- It does not survive forwarding. When someone forwards your email, the forwarding server's IP is not in your SPF record, so the check fails.
- It does not prevent tampering. There is no way to know if the message content was changed after it left the sending server.
SPF is a good start, but it has blind spots. You can create an SPF record at spfcreator.com.
What DKIM Does
DKIM stands for DomainKeys Identified Mail. Instead of checking IP addresses, DKIM adds a cryptographic signature to every email you send.
When your mail server sends a message, it signs it with a private key. The corresponding public key is published as a DNS record. The receiving server retrieves that public key and uses it to verify the signature. If the signature matches, DKIM passes. If someone altered the message in transit, the signature breaks and DKIM fails.
Here is what DKIM does well:
- It proves that the email content was not tampered with after sending
- It survives forwarding, because the signature is attached to the message itself, not the sending server's IP
- It ties the message to a specific domain through the signing key
And here is what DKIM does not do:
- It does not tell receivers what to do with messages that fail. A failed DKIM check is just one data point — there is no policy enforcement.
- It does not verify the sender's IP address. A compromised account on an authorized server could still sign messages.
- It does not require alignment with the visible "From" header on its own.
You can generate DKIM keys at dkimcreator.com.
What DMARC Does
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is the layer that ties SPF and DKIM together and adds two things neither of them provides: a policy and reporting.
DMARC checks whether a message passes SPF or DKIM and whether the domain used in those checks aligns with the "From" header the recipient sees. This alignment requirement is critical. Without it, a spammer could pass SPF using their own domain's servers while spoofing your address in the "From" field.
Here is what DMARC adds:
- Policy enforcement. You tell receiving servers what to do when authentication fails: deliver normally (
none), send to spam (quarantine), or block entirely (reject). - Alignment checking. The domain in the SPF or DKIM check must match the domain in the visible "From" header. Our guide on DMARC alignment explained covers how relaxed and strict alignment work in detail.
- Reporting. Mail providers send you aggregate reports showing every source attempting to send email as your domain, whether those messages passed or failed, and which authentication methods were used.
DMARC does not work on its own. It depends on having at least one of SPF or DKIM in place. Best practice is to configure both before publishing your DMARC record. If you are ready to get started, follow our step-by-step walkthrough on how to set up DMARC.
DMARC requires that at least SPF or DKIM passes and aligns with the "From" domain. Having both SPF and DKIM in place gives you redundancy — if one fails (like SPF during forwarding), the other can still pass DMARC.
Side-by-Side Comparison
| Feature | SPF | DKIM | DMARC |
|---|---|---|---|
| What it verifies | Sending server IP | Message integrity via signature | SPF/DKIM alignment with From domain |
| What it prevents | Unauthorized servers sending as you | Message tampering in transit | Domain spoofing in the From header |
| DNS record type | TXT record on domain | TXT record on selector subdomain | TXT record on _dmarc subdomain |
| Survives forwarding | No | Yes | Yes (if DKIM passes) |
| Provides a policy | No | No | Yes (none, quarantine, reject) |
| Sends reports | No | No | Yes (aggregate and forensic) |
| Works alone | Partially | Partially | No — requires SPF or DKIM |
Why You Need All Three
It is tempting to think one protocol is enough. It is not. Here is why each combination falls short without the full set.
SPF alone verifies the sending server but does not check the "From" header. A spammer can set up their own server, pass SPF on their own domain, and put your address in the "From" field. Recipients see your name, but SPF never catches it. And SPF breaks when emails are forwarded.
DKIM alone proves the message was not tampered with, but there is no policy. If a message fails DKIM, the receiving server has no instructions on what to do with it. It might deliver it anyway. And without alignment checking, a signed message from one domain can still appear to come from another.
SPF + DKIM without DMARC gives you authentication but no enforcement and no visibility. You have no way to tell receiving servers to block spoofed messages, and you have no reports showing you who is attempting to impersonate your domain. You are flying blind.
DMARC ties everything together. It enforces alignment so the "From" header must match an authenticated domain. It lets you set a policy so failed messages are quarantined or rejected. And it gives you reports so you can see exactly what is happening with email sent as your domain.
The forwarding problem
SPF fails when email is forwarded because the forwarding server's IP is not in your SPF record. DKIM survives forwarding because the signature travels with the message. This is why having both SPF and DKIM matters — DKIM acts as a safety net when SPF breaks during forwarding, and DMARC still passes as long as one of them succeeds with alignment.
Common Misconceptions
"SPF is enough for deliverability." Google, Yahoo, and Microsoft all look at SPF, DKIM, and DMARC together. Since February 2024, Google and Yahoo require DMARC for bulk senders. Having only SPF leaves your emails at a disadvantage in spam filtering.
"DKIM replaces SPF." They check different things. SPF verifies the sender, DKIM verifies the message. Neither replaces the other, and DMARC needs at least one of them to function.
"DMARC is only for large enterprises." If you own a domain and send email from it — even just a handful of messages per day — DMARC protects you from spoofing and improves your deliverability. It is free to set up and takes five minutes. Developers in particular benefit from adding DMARC early, before their sending infrastructure grows complex.
"I set up DMARC once, so I am done." Email infrastructure changes. You add new marketing tools, switch CRM providers, or onboard a new transactional email service. Each change can break your authentication. Ongoing monitoring is how you catch problems before they affect your deliverability. See our DMARC best practices guide for tips on maintaining your setup over time.
You can verify your existing records at any time using dmarcrecordchecker.com.
Check your current setup
See if your SPF, DKIM, and DMARC records are configured correctly.
Related Articles
Monitor Your Email Authentication
You've set up your email authentication — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DMARC issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring