SPF vs DKIM vs DMARC: Complete Email Authentication Guide

Understanding how SPF, DKIM, and DMARC work together to secure your email and improve deliverability

Why Email Authentication Matters

Email authentication is the foundation of modern email deliverability. Without proper authentication, your emails risk being rejected, marked as spam, or failing to reach recipients entirely. In 2024, Google and Yahoo implemented mandatory authentication requirements for bulk senders.

The three protocols—SPF, DKIM, and DMARC—work together to verify that emails actually come from who they claim to come from. Each protocol solves a different piece of the authentication puzzle.

SPF: Sender Policy Framework

DNS TXT Record

What SPF Does

SPF authorizes specific mail servers to send email on behalf of your domain. When a receiving mail server receives an email, it looks up your SPF record to verify the sending server is allowed to send for your domain.

How SPF Works

  1. Your domain publishes an SPF record listing authorized sending IPs
  2. Receiving server receives email from your SMTP server
  3. Receiving server looks up your domain's SPF record
  4. Server checks if the connecting IP is in the authorized list
  5. If not authorized, email fails SPF check

SPF Record Example

TXT @ v=spf1 ip4:192.0.2.0/24 include:_spf.cloudmails.eu ~all

SPF Mechanisms

Mechanism Meaning
ip4:192.0.2.0/24 Authorize specific IPv4 or CIDR range
include:_spf.provider.com Include another domain's SPF record
a:mail.example.com Authorize domain's A record
mx Authorize all MX servers
~all SoftFail (mark as suspicious)
-all HardFail (reject)

⚠️ SPF Lookup Limit

DNS resolvers follow a maximum of 10 DNS lookups in an SPF evaluation. Each include: counts as one lookup. Exceeding 10 causes "too many lookups" errors and softfail behavior.

DKIM: DomainKeys Identified Mail

Cryptographic Signature

What DKIM Does

DKIM adds a cryptographic signature to every email header. Receiving servers verify this signature against your public key published in DNS. This proves the email was not modified in transit and was sent by someone with access to your private key.

How DKIM Works

  1. Sending server signs email headers with private key
  2. Signature is added to email headers (DKIM-Signature)
  3. Receiving server fetches public key from DNS
  4. Server decrypts signature and compares with computed hash
  5. If hashes match, DKIM passes; if not, email fails DKIM

DKIM Record Example

TXT selector._domainkey.example.com
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBQUAA...

DKIM Signing Process

🔐 The Cryptographic Process

1. When sending, the mail server creates a hash of selected headers and message body
2. This hash is encrypted with the private DKIM key
3. The encrypted hash (signature) is added to email headers
4. Receiving server retrieves public key from DNS
5. Server decrypts signature, compares with independently computed hash
6. Match = valid DKIM; Mismatch = tampered or forged

✅ DKIM Key Requirements

Minimum 1024-bit key length. 2048-bit recommended for future compatibility. Private key never leaves your sending server—only public key is in DNS.

DMARC: Domain-based Message Authentication

Policy Layer

What DMARC Does

DMARC ties SPF and DKIM together with a policy that tells receivers what to do when authentication fails. It also provides aggregate reporting so you can monitor authentication results.

How DMARC Works

  1. Your domain publishes a DMARC policy in DNS
  2. Receiving server checks SPF and DKIM
  3. DMARC evaluates alignment (does SPF/DKIM domain match From domain?)
  4. Based on policy and alignment results, server decides what to do
  5. Server sends aggregate reports to your reporting email

DMARC Record Example

TXT _dmarc.example.com
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100

DMARC Policy Options

Policy (p=) Meaning Use Case
none Monitor only, no action Initial deployment, learning phase
quarantine Send failing mail to spam After monitoring, 80%+ pass rate
reject Reject failing mail entirely Full compliance, 95%+ pass rate

📊 DMARC Alignment

DMARC requires that the domain in SPF or DKIM matches or is a subdomain of the From header domain. This prevents attackers from sending emails with your domain in the From but from different servers.

How All Three Work Together

SPF, DKIM, and DMARC are not alternatives—they're complementary layers. DMARC requires at least one of SPF or DKIM to pass (with alignment), not both.

🔗 Authentication Flow

1. Email arrives from your sending server
2. Receiving server checks SPF: Does sending IP match authorized list?
3. Server checks DKIM: Is signature valid and from your domain?
4. DMARC evaluates: Does aligned SPF or DKIM pass?
5. Based on DMARC policy and result, email is delivered, quarantined, or rejected
6. Aggregate report sent to your rua= address

DMARC Result Logic

SPF Result DKIM Result DMARC Result
Pass + Alignment Fail PASS
Fail Pass + Alignment PASS
Pass Pass PASS
Fail (no alignment) Fail (no alignment) FAIL
Pass (subdomain) Fail (different domain) FAIL

Troubleshooting Authentication Failures

⚠️ SPF Pass but DKIM Fail

This commonly occurs when your From domain differs from your envelope domain. DMARC passes if EITHER SPF or DKIM aligns with From domain. This is normal in some email forwarding scenarios.

⚠️ Both SPF and DKIM Fail

Check: (1) Is SPF record correctly published? (2) Is DKIM selector correct? (3) Does your sending server sign outgoing emails? (4) Are envelope and From domains properly aligned?

⚠️ DMARC Fails but SPF/DKIM Pass

Usually an alignment issue: your envelope domain (Return-Path) or DKIM domain doesn't match your From domain. Use adkim=relaxed or aspf=relaxed in DMARC policy if using subdomains.

Complete Setup Checklist

✅ Step 1: Configure SPF

Add all sending sources to your SPF record. Include your email provider's servers, any third-party sending services, and your own SMTP servers.

✅ Step 2: Configure DKIM

Generate DKIM key pair, publish public key in DNS with proper selector, configure your sending server to sign outgoing emails with private key.

✅ Step 3: Deploy DMARC (Monitoring)

Start with p=none to monitor without affecting delivery. Set rua= to receive aggregate reports. Monitor for 4+ weeks.

✅ Step 4: Analyze Reports

Review DMARC aggregate reports for authentication pass rates, identify any legitimate email sources not included in SPF, fix any alignment issues.

✅ Step 5: Move to Enforcement

After achieving 80%+ pass rate with p=none, switch to p=quarantine. After further refinement, consider p=reject for full protection.

Get Help Setting Up Email Authentication →