What is the difference between SPF, DKIM, and DMARC?

Question

SPF, DKIM, and DMARC each solve a different part of the email authentication puzzle.

**SPF — Who is allowed to send?**
- Defines authorized IP addresses/servers in a DNS TXT record
- Checked by the receiving server on the envelope sender (Return-Path)
- Breaks when emails are forwarded (new server not in SPF)
- Example: `v=spf1 include:_spf.google.com -all`

**DKIM — Was the email tampered with?**
- Adds a cryptographic signature to the email header
- Public key published in DNS, private key held by sending server
- Survives forwarding (signature stays intact)
- Example header: `DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector`

**DMARC — What happens when checks fail?**
- Policy that tells receivers how to handle failed SPF/DKIM
- Requires SPF or DKIM to pass AND align with the From domain
- Three policy levels: none (monitor), quarantine (spam), reject (block)
- Sends aggregate reports so you can monitor authentication
- Example: `v=DMARC1; p=reject; rua=mailto:dmarc@example.com`

**How they work together:**
```
Email arrives → Check SPF (pass/fail) → Check DKIM (pass/fail)
                                                    ↓
                                    DMARC: At least one passed + aligned?
                                         ↓              ↓
                                        Yes             No
                                         ↓              ↓
                                      Deliver     Apply policy (none/quarantine/reject)
```

**Key difference:**
| Feature | SPF | DKIM | DMARC |
|---------|-----|------|-------|
| Checks | Server IP | Email signature | Alignment + policy |
| Survives forwarding | No | Yes | Depends |
| DNS record type | TXT | TXT | TXT |
| Prevents spoofing | Partially | Partially | Yes (when enforced) |

Check all three for your domain at https://intodns.ai

IntoDNS.AI · Accepted Answer

SPF, DKIM, and DMARC each solve a different part of the email authentication puzzle.

**SPF — Who is allowed to send?**
- Defines authorized IP addresses/servers in a DNS TXT record
- Checked by the receiving server on the envelope sender (Return-Path)
- Breaks when emails are forwarded (new server not in SPF)
- Example: `v=spf1 include:_spf.google.com -all`

**DKIM — Was the email tampered with?**
- Adds a cryptographic signature to the email header
- Public key published in DNS, private key held by sending server
- Survives forwarding (signature stays intact)
- Example header: `DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector`

**DMARC — What happens when checks fail?**
- Policy that tells receivers how to handle failed SPF/DKIM
- Requires SPF or DKIM to pass AND align with the From domain
- Three policy levels: none (monitor), quarantine (spam), reject (block)
- Sends aggregate reports so you can monitor authentication
- Example: `v=DMARC1; p=reject; rua=mailto:dmarc@example.com`

**How they work together:**
```
Email arrives → Check SPF (pass/fail) → Check DKIM (pass/fail)
                                                    ↓
                                    DMARC: At least one passed + aligned?
                                         ↓              ↓
                                        Yes             No
                                         ↓              ↓
                                      Deliver     Apply policy (none/quarantine/reject)
```

**Key difference:**
| Feature | SPF | DKIM | DMARC |
|---------|-----|------|-------|
| Checks | Server IP | Email signature | Alignment + policy |
| Survives forwarding | No | Yes | Depends |
| DNS record type | TXT | TXT | TXT |
| Prevents spoofing | Partially | Partially | Yes (when enforced) |

Check all three for your domain at https://intodns.ai

What is the difference between SPF, DKIM, and DMARC?

Detailed Answer

Check your domain now

Related Questions

What is SPF, DKIM, and DMARC?

How to setup an SPF record?

How to setup DMARC?