SPF vs DKIM vs DMARC: What's the Difference and How Do They Work Together?
Quick Answer
SPF (RFC 7208) declares which IPs can send from your domain. DKIM (RFC 6376) signs messages cryptographically. DMARC (RFC 7489) ties both together by requiring alignment and specifying what to do when authentication fails. You need all three — Google
Related: Free DMARC Checker
Try Our Free DMARC Checker
Validate your DMARC policy, check alignment settings, and verify reporting configuration.
Check DMARC Record →**SPF checks where the email came from (the sending server’s IP), DKIM checks that the email content hasn’t been altered (cryptographic signature), and DMARC ties both together by requiring alignment with the From header and specifying what to do when authentication fails (none/quarantine/reject). You need all three — they solve different parts of the same problem.
Since February 2024, Google and Yahoo require SPF + DKIM + DMARC for any domain sending 5,000+ messages per day. Microsoft followed with enforcement from May 2025. This is no longer a “nice to have.”
The organizations that invest in email authentication early save themselves from expensive incidents later, says Vasile Diaconu, Operations Lead at DuoCircle. We see the pattern constantly: a domain gets spoofed, customers lose trust, and the remediation effort costs 10x what proactive DMARC setup would have cost.
How Do They Differ?
| Protocol | What it does | RFC | What it checks | Survives forwarding? |
|---|---|---|---|---|
| SPF | Declares authorized sending IPs | RFC 7208 | Sending server’s IP against DNS list | ❌ No — fails when forwarded |
| DKIM | Signs message content cryptographically | RFC 6376 | Message hash against published public key | ✅ Yes — signature stays intact |
| DMARC | Policy + reporting for SPF and DKIM | RFC 7489 | Alignment between From header and SPF/DKIM domains | Depends on which passes |
Why Do You Need All Three?
SPF alone isn’t enough — it checks the envelope sender (MAIL FROM), not the visible From header. An attacker can pass SPF with their own domain while spoofing yours in the From field.
DKIM alone isn’t enough — it proves the message wasn’t altered, but doesn’t tell receivers what to do if it fails. And not all senders sign with DKIM.
DMARC alone is meaningless — DMARC depends on SPF or DKIM passing and aligning. Without them, DMARC has nothing to evaluate.
Together: SPF provides the sender IP check, DKIM provides the content integrity check, and DMARC provides the policy enforcement and reporting layer.
How Do They Work Together?
- You send an email from your domain
- The receiving server checks SPF — is this IP authorized?
- The receiving server checks DKIM — is the signature valid?
- The receiving server checks DMARC — does the SPF or DKIM domain align with the From header? If not, what does the policy say to do?
- Based on the DMARC policy, the receiver delivers, quarantines, or rejects the message
- The receiver sends an aggregate report to your
rua=address
Quick Setup
- Check your SPF record → and fix any issues
- Verify your DKIM selectors → are published
- Generate your DMARC record → and publish it
- Monitor your reports → with DMARC Report
According to the FBI’s 2022 IC3 Report, Business Email Compromise — the exact attack these three protocols prevent — caused $2.7 billion in direct losses in a single year.
Sources
Topics
CEO
Founder and CEO of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
LinkedIn Profile →Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free — no credit card required.