SPF vs DKIM vs DMARC Explained

The three layers of email authentication

Email was designed without built-in authentication. Anyone can send an email claiming to be from any domain. SPF, DKIM, and DMARC were added over time to fix this. Each solves a different part of the problem, and they work together as a system.

SPF: Sender Policy Framework

SPF is a DNS record that lists which IP addresses are allowed to send email for your domain. When a receiving server gets an email, it checks the sending server's IP against your SPF record. If the IP is listed, SPF passes. If not, SPF fails.

How SPF works

• You publish a TXT record at your domain: v=spf1 include:_spf.google.com include:spf.mtasv.net -all
• This says: "Google and Postmark are authorized to send email for my domain. Reject everything else."
• Receiving servers look up this record and check whether the sending IP is covered.

SPF limitations

SPF checks the envelope sender (Return-Path), not the From header that users see. This means SPF can pass even when the visible From address is spoofed. SPF also breaks when email is forwarded, because the forwarding server's IP is not in your SPF record.

DKIM: DomainKeys Identified Mail

DKIM adds a cryptographic signature to outgoing email. The sending server signs the message with a private key, and publishes the corresponding public key in DNS. Receiving servers verify the signature to confirm the message was not altered in transit and was sent by an authorized server.

How DKIM works

• Your email provider signs each outgoing message and adds a DKIM-Signature header.
• The signature references a selector (e.g., google._domainkey.yourdomain.com) where the public key lives in DNS.
• Receiving servers look up the public key and verify the signature.

DKIM advantages over SPF

DKIM survives forwarding. When an email is forwarded, the DKIM signature stays intact (as long as the message body is not modified). This makes DKIM more reliable than SPF for forwarded mail. DKIM also verifies message integrity, not just the sender's IP.

DMARC: tying it all together

DMARC builds on top of SPF and DKIM. It adds two critical things that neither protocol provides alone:

1. Alignment

DMARC requires that SPF or DKIM not only pass, but also align with the domain in the From header. This closes the gap where SPF checks the envelope sender but not the visible From address. With DMARC, the domain that passes SPF or DKIM must match (or be a subdomain of) the domain the user sees in the From field.

2. Policy and reporting

DMARC lets you tell receiving servers what to do when authentication fails: deliver normally (none), send to spam (quarantine), or block entirely (reject). It also enables aggregate reporting, where providers send you daily data about every email sent as your domain.

Why you need all three

SPF alone does not prevent spoofing of the visible From address. DKIM alone does not tell receiving servers what to do when verification fails. DMARC alone does nothing without SPF or DKIM results to evaluate. The three protocols form a complete system:

• SPF authorizes which servers can send.
• DKIM proves the message is authentic and unaltered.
• DMARC enforces policy based on SPF/DKIM results and generates reports.

AcornDMARC monitors all three. Your dashboard shows SPF alignment, DKIM alignment, and overall DMARC pass rates for every sender, so you can identify and fix issues before tightening your policy.