SPF vs DKIM vs DMARC: how the three fit together

SPF, DKIM, and DMARC are complementary email-authentication standards, not competing products. SPF checks whether a server is allowed to send for an envelope domain. DKIM verifies a domain's cryptographic signature. DMARC checks whether a passing SPF or DKIM identity aligns with the visible From domain and applies that domain's policy.

Updated July 14, 2026

The differences at a glance

StandardWhat it checksPublished atMain limitation alone
SPFConnecting IP is authorized for the envelope domainA TXT record on the sending/envelope domainForwarding can break it; visible From may differ
DKIMA signature validates for its signing domain and signed contentA selector under _domainkeyA valid signature may use an unrelated domain
DMARCSPF or DKIM passes and aligns with the visible From domainA TXT record under _dmarcUnsafe enforcement can block forgotten legitimate senders

What happens when an email arrives

  1. The receiver notes the connecting server IP and the SMTP envelope sender.
  2. It evaluates SPF for that envelope domain.
  3. It validates any DKIM signatures using public keys from DNS.
  4. It reads the visible From domain and looks up that domain's DMARC record.
  5. DMARC passes when at least one successful SPF or DKIM identity aligns with the visible From domain.
  6. If DMARC fails, the receiver considers the published none, quarantine, or reject policy and records the result for reporting.

Why one method is not enough

SPF is tied to the SMTP path, so forwarding can replace the connecting IP and break an otherwise legitimate result. DKIM travels with the message but can break when an intermediary modifies signed content. Either method can also authenticate a provider-controlled domain that does not match the brand in the visible From field.

DMARC solves the visible-domain problem through alignment and tolerates a failure of one method because aligned SPF or aligned DKIM can pass. Configuring both gives legitimate mail two ways to authenticate while DMARC supplies policy and reporting.

The safest setup order

  1. Inventory every system that sends as your domain: employee mail, marketing, support, billing, product notifications, and infrastructure.
  2. Create one valid SPF record that authorizes all relevant envelope senders without exceeding 10 DNS lookups.
  3. Enable custom-domain DKIM in every sending platform and verify real messages use aligned signing domains.
  4. Publish DMARC at p=none with aggregate reporting.
  5. Fix unaligned sources found in reports, then advance to quarantine and reject.

Do not wait for perfect SPF before enabling DKIM, or vice versa; they can be configured in parallel. The sequence matters most at the DMARC enforcement step, where incomplete discovery can affect delivery.

How to verify the complete chain

DNS checkers tell you whether the records are publicly valid. A real-message test tells you whether your sender actually used them. Run the SPF checker, DKIM checker, and DMARC checker, then send through the inbox test and confirm both the pass results and their domains.

Repeat that real-message test for every sending platform. A successful Google Workspace test says nothing about your CRM or billing service. For a reusable procedure, follow how to check email authentication.

Sources and further reading

Common questions

Is DMARC a replacement for SPF or DKIM?+

No. DMARC consumes SPF and DKIM results, adds alignment with the visible From domain, and publishes policy/reporting. It needs at least one aligned authentication method to pass.

Should SPF and DKIM both pass?+

Yes, that is the healthiest target. DMARC technically needs only one aligned pass, but having both improves resilience to forwarding and message modification.

Which record stops spoofing?+

An enforced DMARC policy is what asks receivers to quarantine or reject messages spoofing the visible From domain. SPF and DKIM provide the authentication evidence DMARC uses.

Do these records guarantee inbox placement?+

No. They establish identity and are a baseline for delivery, but mailbox providers also evaluate reputation, complaint rates, sending patterns, list quality, and content.