SPF vs DKIM vs DMARC
SPF, DKIM, and DMARC are often mentioned in the same breath, and for good reason — they are three layers of the same defence against email spoofing. They are not alternatives to choose between; each covers a gap the others leave open. Here is what each does and how they combine.
Three layers, one goal
All three are published as DNS records, and all three exist to answer one question for a receiving server: is this message really from the domain it claims? Each answers a different part of it.
SPF — who may send
SPF publishes the list of servers authorized to send mail for your domain. The receiver checks whether the sending server is on the list. Its blind spot: SPF validates the hidden envelope sender, not the From address the recipient sees, and it breaks when mail is forwarded.
DKIM — was it altered
DKIM signs each message with a private key and publishes the public key in DNS, so the receiver can confirm the message was not modified in transit. It survives forwarding better than SPF, but on its own a valid signature does not have to match the visible From address.
DMARC — enforcement and reporting
DMARC closes the gap. It requires that the domain passing SPF or DKIM aligns with the From address users see, tells receivers what to do when mail fails (none, quarantine, or reject), and emails you reports on everyone sending as your domain.
At a glance
| SPF | DKIM | DMARC | |
|---|---|---|---|
| What it checks | Sending server is authorized | Message not altered | Alignment with From address |
| DNS record | TXT at apex | TXT at selector._domainkey | TXT at _dmarc |
| Enforces a policy | No | No | Yes |