SPF vs DKIM vs DMARC
SPF says which IP addresses may send for a domain. DKIM cryptographically signs a message so a receiver can verify it was not forged or altered. Neither, on its own, has anything to do with the From: address a human sees — which is exactly the address a phisher forges. DMARC is what closes that gap: it requires that SPF or DKIM not only pass but align with the visible From: domain, and it tells receivers what to do when nothing does.
The one-line version
| Answers the question | Protects the visible From? | |
|---|---|---|
| SPF | "Is this IP allowed to send for this envelope domain?" | No |
| DKIM | "Was this message signed by a key this domain published, and is it unmodified?" | No |
| DMARC | "Did SPF or DKIM pass on the domain the human actually sees — and if not, what should I do?" | Yes |
Why SPF and DKIM alone don't stop spoofing
This is the part that is genuinely counter-intuitive, and it is worth being precise about.
SPF is evaluated against the envelope-from — the Return-Path, a
field your recipient never sees. DKIM is evaluated against the d= domain in the
signature — also invisible. An attacker can register evil.example, publish a perfectly
valid SPF record for it, sign with a perfectly valid DKIM key for it, and set:
Return-Path: [email protected] ← SPF passes (for evil.example) DKIM-Signature: d=evil.example ← DKIM passes (for evil.example) From: [email protected] ← what the human sees. Forged.
SPF: pass. DKIM: pass. And the mail is a forgery. Nothing so far has checked the only identity the recipient will ever look at.
From: domain. In the attack above, neither aligns
with yourcompany.com, so DMARC fails — and if you publish p=reject,
the receiver refuses the message. That is the entire value of DMARC, and it is why SPF and DKIM
without it are a compliance exercise rather than a defence.
The same mechanism explains your own failures
Run the logic in reverse and you have the most common legitimate-mail problem too: your ESP
sends with its own bounce domain and signs with its own DKIM key. SPF passes. DKIM passes.
Neither aligns with your From:. DMARC fails, and at p=reject your own
newsletter is refused. The fix is to enable DKIM signing on your domain at the ESP — usually one
CNAME — so that at least one authenticated identifier is yours.
Check all three
SPF, DKIM and DMARC together, with the exact records to fix what's broken.
Frequently asked
What is the difference between SPF, DKIM and DMARC?
SPF authorises sending IP addresses for a domain. DKIM attaches a cryptographic signature so receivers can verify the message was not forged or modified. DMARC binds either of those to the From: address the recipient actually sees, by requiring alignment, and tells receivers what to do on failure. SPF and DKIM authenticate things the user never sees; DMARC is the only one that protects the visible identity.
Do I need all three of SPF, DKIM and DMARC?
Yes, in practice. Gmail and Yahoo now require SPF, DKIM and DMARC from bulk senders. Even below those thresholds, DMARC is the only one of the three that prevents someone spoofing your visible From address, and it cannot work without at least one of SPF or DKIM aligning.
What does DMARC alignment mean?
Alignment means the domain that passed SPF or DKIM matches the domain in the visible From: header. SPF is checked against the envelope-from (the Return-Path), which for most ESPs is the ESP's own bounce domain — so SPF can pass while aligning with nothing. Passing is not aligning, and DMARC only counts a mechanism that does both.
Which matters more, SPF or DKIM?
DKIM, for two reasons. It survives forwarding and mailing lists, which rewrite the envelope and break SPF by design. And aligned DKIM alone is sufficient for DMARC to pass. A domain with broken SPF but correctly aligned DKIM still passes DMARC and still delivers.
Related
- What p=none actually does — p=none asks receivers not to change message handling.
- Finding a DKIM selector — DKIM selectors are not discoverable from DNS — there is no record that lists them.
- Setting up email authentication, in the right order — A working sequence for SPF, DKIM and DMARC that doesn't reject your own mail on the way.
- DMARC has a new RFC — and pct is gone — RFC 9989 (May 2026) obsoletes RFC 7489 and RFC 9091.
- Every DMARC tag, explained — A complete reference for DMARC record tags as of RFC 9989 — what each one does, which are required, which are safe to omit, and which no longer exist.
Automate this → — free tier, public pricing, API key emailed in about thirty seconds. No call with anyone.