SPF, DKIM, and DMARC are three email authentication protocols that work together to protect your domain from spoofing and phishing. Each solves a different part of the problem — and you need all three for complete protection.
The Email Authentication Stack
Quick Comparison
| SPF | DKIM | DMARC | |
|---|---|---|---|
| What it does | Lists authorised sending IPs | Digitally signs emails | Sets policy + enables reporting |
| DNS record | TXT at domain root | TXT at selector._domainkey |
TXT at _dmarc |
| What it checks | Sending server IP | Email signature + integrity | SPF/DKIM alignment with From: |
| Survives forwarding? | ❌ No — IP changes | ✅ Usually — signature travels with email | Depends on SPF/DKIM results |
| Verifies content integrity? | ❌ No | ✅ Yes — detects tampering | ❌ No (relies on DKIM) |
| Provides reports? | ❌ No | ❌ No | ✅ Yes — aggregate + forensic |
| Tells receivers what to do on fail? | Partially (-all) |
❌ No | ✅ Yes — none/quarantine/reject |
| Setup difficulty | Easy — write a TXT record | Medium — provider generates keys | Easy — write a TXT record |
How They Work Together
Here’s what happens when someone receives an email claiming to be from your domain:
The receiving server looks up your SPF record and checks if the sending server’s IP is authorised. Result: Pass or Fail.
The receiver looks up the DKIM public key in DNS and verifies the signature in the email header. Result: Pass or Fail.
DMARC checks if at least one of SPF or DKIM both passes AND aligns with the From: domain. If neither aligns, DMARC fails.
If DMARC fails, the receiving server applies your policy: deliver anyway (none), send to spam (quarantine), or block (reject). A report is sent to you either way.
Why You Need All Three
SPF alone
An attacker can pass SPF with their own domain while spoofing your From: address. SPF also breaks when email is forwarded. No reporting.
SPF + DKIM (no DMARC)
Better — emails are signed and sender IPs are checked. But there’s no alignment check and no reporting. Receivers decide on their own what to do with failures.
SPF + DKIM + DMARC
Complete protection. Authentication is verified AND aligned with the visible From: domain. You control what happens to failures. You get reports showing who’s using your domain.
Real-World Scenario
Imagine you run acme.com and an attacker sends a phishing email pretending to be you:
The fake email:
Return-Path: attacker@evil.com
Subject: Urgent wire transfer needed
What happens at each check:
- SPF: Checks evil.com’s IP against
acme.com‘s SPF → FAIL (wrong server) - DKIM: No valid DKIM signature for
acme.com→ FAIL (not signed with acme.com’s key) - DMARC: Neither SPF nor DKIM passed with alignment → FAIL
- Policy:
p=reject→ EMAIL BLOCKED 🚫
Protect your domain with all three
Generate your DMARC record and start monitoring in under 5 minutes.