DMARC vs SPF vs DKIM: What's the Difference?
Understanding the three email authentication standards and how they work together.
DMARC vs SPF vs DKIM: What’s the Difference?
Email authentication can seem confusing. What’s the difference between SPF, DKIM, and DMARC? When do you need each? Let’s break it down.
Quick Answer
| Standard | Purpose | Checks |
|---|---|---|
| SPF | Says which servers can send mail | ”Is this server authorized?” |
| DKIM | Signs emails digitally | ”Is this email authentic?” |
| DMARC | Enforces policy | ”What do I do if SPF/DKIM fail?” |
They work together. You need all three for complete protection.
SPF (Sender Policy Framework)
What It Does
SPF says: “Only these servers are allowed to send email from my domain.”
Example
Your company uses:
- Your mail server:
mail.company.com - Google Workspace:
aspmx.google.com
Your SPF record says: “Only these servers can send from @company.com”
How It Works
Email arrives from IP 1.2.3.4
↓
Server looks up SPF record
↓
Record says "approved IPs are..."
↓
Is 1.2.3.4 in the list?
↓
Yes? → Pass ✓
No? → Fail ✗Limitations
- Only checks the server’s IP address
- Doesn’t verify content
- Doesn’t sign emails
- Can be spoofed with some configurations
- Result: SPF alone isn’t enough
DKIM (DomainKeys Identified Mail)
What It Does
DKIM digitally signs your emails. It’s like a tamper-proof seal on an envelope.
How It Works
- When you send an email, DKIM creates a digital signature
- This signature is hidden in the email header
- Receiving servers verify the signature
- If signature is valid, email is authentic
- If someone modifies the email, signature breaks
Example
Email sent with DKIM signature
↓
Email travels through internet
↓
Attacker tries to modify content
↓
Signature becomes invalid
↓
Receiving server rejects email ✓Advantages
- ✓ Prevents email tampering
- ✓ Proves authenticity
- ✓ Works across servers
- ✓ Cannot be spoofed
Limitations
- Only shows the email wasn’t modified
- Doesn’t prevent domain spoofing
- Relies on proper setup by email provider
- Result: DKIM alone isn’t enough
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
What It Does
DMARC is the policy that says what to do when SPF/DKIM checks fail.
Example
Your DMARC record says:
v=DMARC1; p=reject; rua=mailto:admin@company.comTranslation: “If SPF or DKIM fail, reject the email. Send me a report.”
How It Works
Email arrives claiming to be from your domain
↓
Server checks SPF - Does IP match?
Server checks DKIM - Is signature valid?
↓
Not aligned with DMARC record?
↓
Apply policy:
- p=none: Deliver (but report it)
- p=quarantine: Spam folder
- p=reject: Delete
↓
Send report to specified emailPolicy Options
p=none
- Email delivered normally
- Reports sent for monitoring
- Good for initial testing
p=quarantine
- Failed emails go to spam
- Provides some protection
- Good for intermediate testing
p=reject
- Failed emails rejected completely
- Maximum protection
- Use after thorough testing
Advantages
- ✓ Enforces SPF/DKIM checks
- ✓ Provides reporting
- ✓ Prevents domain spoofing
- ✓ Alerts you to issues
How They Work Together
Scenario 1: Attacker Tries to Spoof You
Attacker sends email from attacker-server.com
claiming to be from your-domain.com
↓ SPF Check
"Is attacker-server.com authorized?"
No → FAIL
↓ DKIM Check
"Is email signed with your domain's key?"
No → FAIL
↓ DMARC Policy
"Both failed and domain is spoofed"
Action: REJECT
Result: ✓ Email blockedScenario 2: Legitimate Third-Party Sender
Mailchimp sends newsletter from YOUR domain
(you authorized this)
↓ SPF Check
"Is mailchimp-server authorized?"
Yes → PASS
↓ DKIM Check
"Is email signed?"
Yes → PASS
↓ DMARC Policy
"Both passed"
Action: DELIVER
Result: ✓ Email deliveredScenario 3: Your Employee Sends Email
Your employee sends from company mail server
↓ SPF Check
"Is your company server authorized?"
Yes → PASS
↓ DKIM Check
"Is it signed with your domain key?"
Yes → PASS
↓ DMARC Policy
"Both passed and aligned"
Action: DELIVER
Result: ✓ Email deliveredWhich Do You Need?
Minimum
- SPF - Required
- DKIM - Required
- DMARC - Required
You cannot choose. Email security requires all three.
Implementation Order
-
Start with SPF
- List all authorized mail servers
- Takes 5-10 minutes
- Your email provider may do this automatically
-
Add DKIM
- Usually set up by email provider
- Most services include it (Google Workspace, Office 365, etc.)
- Verify it’s configured
-
Implement DMARC
- Add DMARC record
- Start with p=none
- Progress to stricter policies
Real-World Setup
For Google Workspace
Google Workspace automatically sets up SPF and DKIM. You just need to:
- Add DMARC record (you control this)
- That’s it!
For Office 365
Microsoft automatically sets up SPF and DKIM. You just need to:
- Add DMARC record (you control this)
- That’s it!
For Self-Hosted
- Configure SPF (list your server)
- Configure DKIM (generate keys, sign emails)
- Add DMARC record
Testing
Before enforcing DMARC, test with:
- Send test email from your domain
- Have someone forward the full email headers to you
- Use DMARC analyzer tools to check headers
- Verify SPF, DKIM, and DMARC all pass
Troubleshooting
SPF Failing?
- List all servers authorized to send from your domain
- Include third-party services (Mailchimp, SendGrid, etc.)
- Use SPF flattening if needed
DKIM Failing?
- Verify DKIM is enabled in your email system
- Check that DKIM keys are properly installed
- Ensure selectors are correct
DMARC Failing?
- Ensure SPF and DKIM are properly configured first
- Check alignment (domain in headers must match)
- Start with p=none before enforcing
Summary
- SPF = “Can this server send from this domain?”
- DKIM = “Is this email authentic?”
- DMARC = “What should I do if authentication fails?”
All three work together to secure your domain.
Ready to set up DMARC?
Start your free trial and we’ll guide you through the process.
DMARC Nerd Team
P.S. - We make this easy. Our guides cover every step and answer common questions.