---
title: "SPF vs DKIM vs DMARC: What's the Difference and How Do They Work Together? | DMARC Report"
description: "SPF checks which servers can send email from your domain, DKIM signs messages cryptographically, and DMARC ties both together with an enforceable policy. All three are required since Google"
image: "https://dmarcreport.com/og/blog/spf-vs-dkim-vs-dmarc-difference-explained-2026.png"
canonical: "https://dmarcreport.com/blog/spf-vs-dkim-vs-dmarc-difference-explained-2026/"
---

Quick Answer

SPF (RFC 7208) declares which IPs can send from your domain. DKIM (RFC 6376) signs messages cryptographically. DMARC (RFC 7489) ties both together by requiring alignment and specifying what to do when authentication fails. You need all three - Google

Related: [Free DMARC Checker](/tools/dmarc-checker/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fspf-vs-dkim-vs-dmarc-difference-explained-2026%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=SPF%20vs%20DKIM%20vs%20DMARC%3A%20What's%20the%20Difference%20and%20How%20Do%20They%20Work%20Together%3F&url=undefined%2Fblog%2Fspf-vs-dkim-vs-dmarc-difference-explained-2026%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fspf-vs-dkim-vs-dmarc-difference-explained-2026%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fspf-vs-dkim-vs-dmarc-difference-explained-2026%2F&title=SPF%20vs%20DKIM%20vs%20DMARC%3A%20What's%20the%20Difference%20and%20How%20Do%20They%20Work%20Together%3F "Share on Reddit") [ ](mailto:?subject=SPF%20vs%20DKIM%20vs%20DMARC%3A%20What's%20the%20Difference%20and%20How%20Do%20They%20Work%20Together%3F&body=Check out this article: undefined%2Fblog%2Fspf-vs-dkim-vs-dmarc-difference-explained-2026%2F "Share via Email") 

![SPF vs DKIM vs DMARC: What's the Difference and How Do They ](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg) 

## Try Our Free DMARC Checker

Validate your DMARC policy, check alignment settings, and verify reporting configuration.

[ Check DMARC Record → ](/tools/dmarc-checker/) 

\*\*SPF checks where the email came from (the sending server’s IP), DKIM checks that the email content hasn’t been altered (cryptographic signature), and DMARC ties both together by requiring alignment with the `From` header and specifying what to do when authentication fails (none/quarantine/reject). You need all three - they solve different parts of the same problem.

Since February 2024, Google and Yahoo require SPF + DKIM + DMARC for any domain sending 5,000+ messages per day. Microsoft followed with enforcement from May 2025\. This is no longer a “nice to have.”

> The organizations that invest in email authentication early save themselves from expensive incidents later, says Vasile Diaconu, Operations Lead at DuoCircle. We see the pattern constantly: a domain gets spoofed, customers lose trust, and the remediation effort costs 10x what proactive DMARC setup would have cost.

## How Do They Differ?

| Protocol  | What it does                            | RFC                                                       | What it checks                                     | Survives forwarding?           |
| --------- | --------------------------------------- | --------------------------------------------------------- | -------------------------------------------------- | ------------------------------ |
| **SPF**   | Declares authorized sending IPs         | [RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208) | Sending server’s IP against DNS list               | ❌ No - fails when forwarded    |
| **DKIM**  | Signs message content cryptographically | [RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376) | Message hash against published public key          | ✅ Yes - signature stays intact |
| **DMARC** | Policy + reporting for SPF and DKIM     | [RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489) | Alignment between From header and SPF/DKIM domains | Depends on which passes        |

## Why Do You Need All Three?

**SPF alone isn’t enough** \- it checks the envelope sender (MAIL FROM), not the visible From header. An attacker can pass SPF with their own domain while spoofing yours in the From field.

**DKIM alone isn’t enough** \- it proves the message wasn’t altered, but doesn’t tell receivers what to do if it fails. And not all senders sign with DKIM.

**DMARC alone is meaningless** \- DMARC depends on SPF or DKIM passing and aligning. Without them, DMARC has nothing to evaluate.

Together: SPF provides the sender IP check, DKIM provides the content integrity check, and DMARC provides the policy enforcement and reporting layer.

## How Do They Work Together?

1. You send an email from your domain
2. The receiving server checks **SPF** \- is this IP authorized?
3. The receiving server checks **DKIM** \- is the signature valid?
4. The receiving server checks **DMARC** \- does the SPF or DKIM domain align with the From header? If not, what does the policy say to do?
5. Based on the DMARC policy, the receiver delivers, quarantines, or rejects the message
6. The receiver sends an aggregate report to your `rua=` address

## Quick Setup

1. [Check your SPF record →](/tools/spf-checker/) and fix any issues
2. [Verify your DKIM selectors →](/tools/dkim-lookup/) are published
3. [Generate your DMARC record →](/tools/dmarc-record-generator/) and publish it
4. [Monitor your reports →](https://app.dmarcreport.com/) with DMARC Report

According to the [FBI’s 2022 IC3 Report](https://www.ic3.gov/Media/PDF/AnnualReport/2022%5FIC3Report.pdf), Business Email Compromise - the exact attack these three protocols prevent - caused $2.7 billion in direct losses in a single year.

## Sources

- [RFC 7208 - Sender Policy Framework (SPF)](https://datatracker.ietf.org/doc/html/rfc7208)
- [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489)

## Topics

[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/) 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Foundational 8m  10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective  Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[  Foundational 12m  10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast  Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[  Foundational 12m  10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection  Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[  Foundational 12m  10 Reasons SPF Filtering Is Critical For Email Security  Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"SPF vs DKIM vs DMARC: What's the Difference and How Do They Work Together?","description":"SPF checks which servers can send email from your domain, DKIM signs messages cryptographically, and DMARC ties both together with an enforceable policy. All three are required since Google's and Yahoo's February 2024 bulk sender mandate.","url":"https://dmarcreport.com/blog/spf-vs-dkim-vs-dmarc-difference-explained-2026/","datePublished":"2026-03-24T00:00:00.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2026-03-24T00:00:00.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/spf-vs-dkim-vs-dmarc-difference-explained-2026/"},"articleSection":"foundational","keywords":"DMARC, email security","wordCount":2500,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg","caption":"SPF vs DKIM vs DMARC: What's the Difference and How Do They ","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"SPF vs DKIM vs DMARC: What's the Difference and How Do They Work Together?","item":"https://dmarcreport.com/blog/spf-vs-dkim-vs-dmarc-difference-explained-2026/"}]}
```