---
title: "How do DMARC, SPF, and DKIM Work in Tandem to Provide Email Security? | DMARC Report"
description: "How do DMARC, SPF, and DKIM Work in Tandem to Provide Email Security? from DMARC Report explains practical steps for email authentication, domain protection."
image: "https://dmarcreport.com/og/blog/how-do-dmarc-spf-and-dkim-work-in-tandem-to-provide-email-security.png"
canonical: "https://dmarcreport.com/blog/how-do-dmarc-spf-and-dkim-work-in-tandem-to-provide-email-security/"
---

Quick Answer

Since the preferred mode of communication for organizations, businesses, and individuals worldwide is email, avoiding \[phishing\](https://www.imperva.com/learn/application-security/phishing-attack-scam/) and spam becomes the top priority to keep email communications protected. Suppose any user clicks on a phishing link or malicious email attachment.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fhow-do-dmarc-spf-and-dkim-work-in-tandem-to-provide-email-security%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=How%20do%20DMARC%2C%20SPF%2C%20and%20DKIM%20Work%20in%20Tandem%20to%20Provide%20Email%20Security%3F&url=undefined%2Fblog%2Fhow-do-dmarc-spf-and-dkim-work-in-tandem-to-provide-email-security%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fhow-do-dmarc-spf-and-dkim-work-in-tandem-to-provide-email-security%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fhow-do-dmarc-spf-and-dkim-work-in-tandem-to-provide-email-security%2F&title=How%20do%20DMARC%2C%20SPF%2C%20and%20DKIM%20Work%20in%20Tandem%20to%20Provide%20Email%20Security%3F "Share on Reddit") [ ](mailto:?subject=How%20do%20DMARC%2C%20SPF%2C%20and%20DKIM%20Work%20in%20Tandem%20to%20Provide%20Email%20Security%3F&body=Check out this article: undefined%2Fblog%2Fhow-do-dmarc-spf-and-dkim-work-in-tandem-to-provide-email-security%2F "Share via Email") 

![How do DMARC, SPF, and DKIM Work in Tandem to Provide Email Security?](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) 

## Try Our Free DMARC Checker

Validate your DMARC policy, check alignment settings, and verify reporting configuration.

[ Check DMARC Record → ](/tools/dmarc-checker/) 

The three core email authentication standards - SPF ([RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208)), DKIM ([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)), and DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) - work together to verify that an email genuinely originates from the domain it claims to represent. Since February 2024, Google and Yahoo require all three for bulk senders. DMARC, SPF, and DKIM can improve your organization’s \*\*email security by authenticating incoming emails. This post discusses how DMARC, SPF, and DKIM work and how to create DMARC, SPF, and DKIM records. Since the preferred mode of communication for organizations, businesses, and individuals worldwide is email, avoiding [phishing](https://www.imperva.com/learn/application-security/phishing-attack-scam/) and spam becomes the top priority to keep email communications protected. Suppose any user clicks on a phishing link or **malicious email attachment**.

> DKIM is the authentication protocol that survives email forwarding, says Brad Slavin, General Manager of DuoCircle. When SPF fails because a forwarder’s IP isn’t in the original record, DKIM alignment is the only path to DMARC pass. That’s why we monitor DKIM alongside SPF in every DMARC Report dashboard.

![Create dmarc record 5874](https://media.mailhop.org/dmarcreport/images/2022/12/create-dmarc-record-5874-1.jpg) 

In that case, they could compromise the business and themselves by opening the network to [ransomware](https://www.bleepingcomputer.com/news/security/play-ransomware-claims-attack-on-belgium-city-of-antwerp/), data leaks, privilege escalation exploits, [email spoofing](https://glockapps.com/blog/email-spoofing/#:~:text=Email%20spoofing%20and%20phishing%20increased,for%20valuable%20information%20and%20credentials.), and more. Let us share how DMARC, SPF, and DKIM work together so you can ensure a robust email security posture.

## **What do DMARC, SPF, and DKIM do?** Each of these makes the tip of a three-pronged approach to email security by covering three essentials.

- **_SPF:_**\_ \_SPF provides the functionality to **verify email platforms**. SPF checks if the platform is authorized to send emails on behalf of a domain, i.e., authenticating the email source.
- **_DKIM:_**\_ \_DKIM ensures that any email sent has not been tampered with and that the contents received are unaltered and **directly from the sender**.
- **_DMARC:_**\_ \_DMARC provides the functionality of reporting by building on these two. If any unauthorized emails are discovered, you can specify remedial actions to handle these.

Now that you know what each of these provides, let us see how DMARC, SPF, and DKIM work.

## \*\*How do DMARC, SPF, and DKIM work?

### **How does SPF work?** SPF records are [DNS (Domain Name System) records](https://www.cloudflare.com/learning/dns/dns-records/#:~:text=What%20is%20a%20DNS%20record,handle%20requests%20for%20that%20domain.) containing information on servers authorized to send emails from a domain. The receiving servers verify SPF by using the Return-Path value from the email header. By sending a query, the recipient can check the \*\*TXT SPF record containing the list of all approved servers where the mail can originate.

The \*\*TXT record is present on the sender’s DNS server, and the SPF check fails if a particular IP (Internet Protocol) address is not found on the list of authorized servers.

SPF consists of mechanisms to describe email senders and four qualifiers, i.e., actions that are applied to the email. These are:

- **Pass:** Denoted by ”+”; pass means the email is accepted and delivered.
- **Fail:** Denoted by ”-”; fail means the email is rejected and is not allowed to be delivered.
- **Soft fail:** Denoted by ”\~”; soft fail accepts the email by tagging it. This means the email is not denied but is marked with a tag due as it cannot be passed with 100% authenticity of the sender.
- **Neutral:** Denoted by ”?”; neutral means that the email is allowed even if the authentication is unsure.

### **How to Create an SPF Record?** You can easily create SPF records by following these steps.

1. Collect information about your hostname, IP, DNS server, and the list of servers you want to authorize to send your emails.
2. Login to the DNS webportal.
3. Create a new TXT record or choose the option to add an SPF-type record.
4. Input the SPF email rule in value and ensure it begins with the version syntax.
5. Publish the SPF record.

You should remember that SPF records can take up to 48 hours to take effect and require each subdomain to be added since they are not automatically included.

### **How does DKIM work?** DKIM provides email signatures to verify senders. With the [digital signature](https://www.techtarget.com/searchsecurity/definition/digital-signature) added to the email header, recipient email servers check the signature to ensure the content is unaltered by looking up the sender’s DKIM record in the DNS. This is achieved by **encryption and decryption**, allowing the sender to \*\*publish a public DKIM key using the DKIM selector. The recipient can use the key to decrypt the DKIM signature received and check the sender’s authenticity and email content.

### **How to Create a DKIM Record?** You can create a DKIM record by:

1. Creating a list of services and domains authorized to send emails on your behalf.
2. Generating key pairs using DKIM generator tools.
3. Use a TXT file to publish your public key on the DNS.
4. Save the private key to the [SMTP](https://www.geeksforgeeks.org/simple-mail-transfer-protocol-smtp/) (Simple Mail Transfer Protocol) server.

### **How does DMARC work?** DMARC works on SPF and DMARC standards to provide email security. The domain administrator publishes a

DMARC policy and lists it as a part of the DNS records. The DMARC policy \*\*defines email authentication and provides actions the mail servers should take if any email violates the DMARC policy. The email recipient can check any incoming email by looking up the DMARC for the domain provided in the email’s “FROM” header and evaluates the action based on three factors:

1. Does the email’s DKIM signature validate?
2. Does the email’s SPF record validate?
3. Does the email contain “domain-aligned” headers?

The DMARC policy accepts, rejects, or flags email messages and reports the outcome to the sender domain based on the results.

### **How to Create a DMARC Record?** You can easily create a DMARC record by:

1. Logging in to the DNS control panel and choose to Create Record.
2. Select TXT as the record type.
3. Add Host Value and “Value” information.
4. Click on Save, and the DMARC record is generated.

DMARC records provide you with three policies to specify email validation checks, including:

- **None:** Allows all emails to reach the recipient.
- **Quarantine:** Sends emails failing the DMARC check to spam or junk folders.
- **Reject:** Does not allow emails failing the DMARC check to get the recipient.
![Dmarc report 5824](https://media.mailhop.org/dmarcreport/images/2022/12/dmarc-report-5824-1.jpg) 

You can set these policies when creating a [DMARC record](https://dmarcreport.com/dmarc-record/) to establish a strict or flexible email security policy.

## \*\*Final Words _SPF, DMARC, and [DKIM](https://www.dmarcanalyzer.com/dkim/) seamlessly work together to provide the best email security._ With SPF specifying authorized email sending domains, DKIM adding digital signatures to emails for verification, and DMARC specifying how to deal with emails that fail SPF or DKIM, these three email standards provide a robust mechanism to ensure your organization or business is protected against email spams, spoofing, phishing, and malicious threats.

## Sources

- [RFC 7208 - Sender Policy Framework (SPF)](https://datatracker.ietf.org/doc/html/rfc7208)
- [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489)

## Topics

[ dkim ](/tags/dkim/)[ dkim selector ](/tags/dkim-selector/)[ dmarc record ](/tags/dmarc-record/)[ dmarc record policy ](/tags/dmarc-record-policy/)[ dns record ](/tags/dns-record/) 

![Vishal Lamba](https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg) 

[ Vishal Lamba ](/authors/vishal-lamba/) 

Content Specialist

Content Specialist at DMARC Report. Writes vendor-specific email authentication guides and troubleshooting walkthroughs.

[LinkedIn Profile →](https://www.linkedin.com/in/vishal-lamba/) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Foundational 10m  Best Tools For Generating DMARC Records For Small Businesses With Minimal It Staff?  Nov 28, 2025 ](/blog/best-tools-for-generating-dmarc-records-for-small-businesses-without-it-staff/)[  Foundational 15m  DKIM TXT Records: How to Properly Configure Your Email Authentication  Apr 16, 2025 ](/blog/dkim-txt-records-how-to-properly-configure-your-email-authentication/)[  Foundational 10m  How To Use Mxtoolbox Dmarc Analyzer For Effective Email Security  Sep 24, 2025 ](/blog/how-to-use-mxtoolbox-dmarc-analyzer-for-effective-email-security/)[  Foundational 14m  Add TXT Record on Namecheap: A Complete DNS Guide  Mar 5, 2025 ](/blog/add-txt-record-on-namecheap-a-complete-dns-guide/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"How do DMARC, SPF, and DKIM Work in Tandem to Provide Email Security?","description":"How do DMARC, SPF, and DKIM Work in Tandem to Provide Email Security? from DMARC Report explains practical steps for email authentication, domain protection.","url":"https://dmarcreport.com/blog/how-do-dmarc-spf-and-dkim-work-in-tandem-to-provide-email-security/","datePublished":"2022-12-14T10:24:13.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2022-12-14T10:24:13.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/vishal-lamba/#person","name":"Vishal Lamba","url":"https://dmarcreport.com/authors/vishal-lamba/","jobTitle":"Content Specialist","description":"Vishal Lamba writes DMARC Report's how-to guides and vendor-specific configuration walkthroughs. His work focuses on step-by-step implementation guides for major email platforms (Google Workspace, Microsoft 365, SendGrid, Mimecast, Proofpoint, Brevo, and others), troubleshooting common SPF and DMARC errors, and translating RFC-level specifications into practical deployment procedures for IT administrators.","image":"https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg","knowsAbout":["SPF Vendor Configuration","Email Platform Integrations","SPF Troubleshooting","Technical Documentation","Step-by-Step Guides"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/vishal-lamba/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/how-do-dmarc-spf-and-dkim-work-in-tandem-to-provide-email-security/"},"articleSection":"foundational","keywords":"dkim, dkim selector, dmarc record, dmarc record policy, dns record","wordCount":1153,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"How do DMARC, SPF, and DKIM Work in Tandem to Provide Email Security?","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"How do DMARC, SPF, and DKIM Work in Tandem to Provide Email Security?","item":"https://dmarcreport.com/blog/how-do-dmarc-spf-and-dkim-work-in-tandem-to-provide-email-security/"}]}
```