Guide

SPF vs DKIM vs DMARC — what's the difference?

Three records, three jobs. Here's what each one does, why one isn't enough, and how they work together.

Check all three at once

What it is

SPF (Sender Policy Framework) lists the servers allowed to send email as your domain. A receiver checks the sending server against your list — a kind of guest list for your mail.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each message. The receiver verifies it against a public key in your DNS, proving the message really came from you and wasn't tampered with — like a tamper-proof seal.

DMARC ties the two together and adds a policy: it tells receivers what to do when a message claims to be from your domain but fails both SPF and DKIM alignment — and asks them to report who's sending as you. It's the enforcement layer.

Why it matters

Each covers a gap the others don't. SPF can break when mail is forwarded; DKIM survives forwarding but doesn't say what to do on failure; DMARC is the only one that actually tells receivers to reject impersonation and gives you visibility into who's sending as you.

The big mailbox providers now expect all three. Having one or two is why a lot of "but I set up SPF!" mail still lands in spam.

How to set it up

  1. 1Set up SPF first — it's the simplest and DMARC needs it (or DKIM) to align.
  2. 2Turn on DKIM at your email provider and publish the key. It's the more robust of the two because it survives forwarding.
  3. 3Publish DMARC last, starting at p=none, so you can watch the reports before enforcing.
  4. 4Use the reports to confirm every legitimate sender aligns, then raise the DMARC policy to quarantine and reject.

Common problems

Do I really need all three?
Yes. SPF or DKIM alone can pass while your domain is still spoofable, because nothing tells receivers to reject failures — that's DMARC's job. And DMARC needs SPF or DKIM to align to work. They're a set.
Which one stops spoofing?
DMARC — but only at p=quarantine or p=reject. SPF and DKIM authenticate; DMARC at enforcement is what actually blocks impersonation.
What does 'alignment' mean?
DMARC passes only if the domain in the visible From address matches the domain that passed SPF or DKIM. A message can pass raw SPF/DKIM for one domain yet still fail DMARC for yours if they don't match.

Check it — then keep it healthy

Run a free scan now, or let DomainHealthPro monitor it continuously and alert you the moment it breaks.

More guides