SPF vs DKIM vs DMARC

SPF says which IP addresses may send for a domain. DKIM cryptographically signs a message so a receiver can verify it was not forged or altered. Neither, on its own, has anything to do with the From: address a human sees — which is exactly the address a phisher forges. DMARC is what closes that gap: it requires that SPF or DKIM not only pass but align with the visible From: domain, and it tells receivers what to do when nothing does.

Updated July 14, 2026 · DMARC

The one-line version

Answers the questionProtects the visible From?
SPF"Is this IP allowed to send for this envelope domain?"No
DKIM"Was this message signed by a key this domain published, and is it unmodified?"No
DMARC"Did SPF or DKIM pass on the domain the human actually sees — and if not, what should I do?"Yes

Why SPF and DKIM alone don't stop spoofing

This is the part that is genuinely counter-intuitive, and it is worth being precise about.

SPF is evaluated against the envelope-from — the Return-Path, a field your recipient never sees. DKIM is evaluated against the d= domain in the signature — also invisible. An attacker can register evil.example, publish a perfectly valid SPF record for it, sign with a perfectly valid DKIM key for it, and set:

Return-Path: [email protected]      ← SPF passes (for evil.example)
DKIM-Signature: d=evil.example        ← DKIM passes (for evil.example)
From: [email protected]             ← what the human sees. Forged.

SPF: pass. DKIM: pass. And the mail is a forgery. Nothing so far has checked the only identity the recipient will ever look at.

DMARC is the check that ties the knot. It requires the domain that passed SPF or DKIM to align with the From: domain. In the attack above, neither aligns with yourcompany.com, so DMARC fails — and if you publish p=reject, the receiver refuses the message. That is the entire value of DMARC, and it is why SPF and DKIM without it are a compliance exercise rather than a defence.

The same mechanism explains your own failures

Run the logic in reverse and you have the most common legitimate-mail problem too: your ESP sends with its own bounce domain and signs with its own DKIM key. SPF passes. DKIM passes. Neither aligns with your From:. DMARC fails, and at p=reject your own newsletter is refused. The fix is to enable DKIM signing on your domain at the ESP — usually one CNAME — so that at least one authenticated identifier is yours.

Check all three

SPF, DKIM and DMARC together, with the exact records to fix what's broken.

Frequently asked

What is the difference between SPF, DKIM and DMARC?

SPF authorises sending IP addresses for a domain. DKIM attaches a cryptographic signature so receivers can verify the message was not forged or modified. DMARC binds either of those to the From: address the recipient actually sees, by requiring alignment, and tells receivers what to do on failure. SPF and DKIM authenticate things the user never sees; DMARC is the only one that protects the visible identity.

Do I need all three of SPF, DKIM and DMARC?

Yes, in practice. Gmail and Yahoo now require SPF, DKIM and DMARC from bulk senders. Even below those thresholds, DMARC is the only one of the three that prevents someone spoofing your visible From address, and it cannot work without at least one of SPF or DKIM aligning.

What does DMARC alignment mean?

Alignment means the domain that passed SPF or DKIM matches the domain in the visible From: header. SPF is checked against the envelope-from (the Return-Path), which for most ESPs is the ESP's own bounce domain — so SPF can pass while aligning with nothing. Passing is not aligning, and DMARC only counts a mechanism that does both.

Which matters more, SPF or DKIM?

DKIM, for two reasons. It survives forwarding and mailing lists, which rewrite the envelope and break SPF by design. And aligned DKIM alone is sufficient for DMARC to pass. A domain with broken SPF but correctly aligned DKIM still passes DMARC and still delivers.

Related

Automate this → — free tier, public pricing, API key emailed in about thirty seconds. No call with anyone.