SPF, DKIM, and DMARC are three systems that work together to protect your business email from being faked. Each one solves a different part of the problem — and you need all three for proper protection. Here’s what they do, how they’re different, and why they need each other.
Three Systems That Protect Your Email
At a Glance
| SPF — The Guest List | DKIM — The Wax Seal | DMARC — The Rulebook | |
|---|---|---|---|
| What it does | Lists which servers are allowed to send email as your domain | Adds a digital seal to emails proving they’re genuine | Tells receivers what to do when SPF or DKIM fail, and sends you reports |
| Where it lives | A text entry in your domain’s settings (DNS) | A text entry at selector._domainkey in DNS |
A text entry at _dmarc in DNS |
| What it checks | Which server actually sent the email | Whether the email is signed and unmodified | Whether SPF or DKIM results match the “From” address the recipient sees |
| Survives forwarding? | ❌ No — when email is forwarded, the sending server changes | ✅ Usually — the digital seal travels with the email | Depends on whether SPF or DKIM still passes |
| Detects tampering? | ❌ No | ✅ Yes — if someone changes the email, the seal breaks | ❌ No (relies on DKIM for that) |
| Sends you reports? | ❌ No | ❌ No | ✅ Yes — shows you who’s sending email as your domain |
| Tells receivers what to do when checks fail? | Partly (-all suggests reject) |
❌ No | ✅ Yes — monitor / send to spam / block entirely |
| How hard is it to set up? | Easy — add a text entry to your DNS | Medium — your email provider generates the keys, you publish them | Easy — add a text entry to your DNS |
How They Work Together
Here’s what happens when someone receives an email claiming to be from your domain:
The recipient’s email provider looks up your authorised sender list and checks whether the server that actually sent the email is on it. Result: Pass or Fail.
The recipient’s email provider looks up the verification key you’ve published and checks whether the digital seal on the email is genuine and the email hasn’t been altered. Result: Pass or Fail.
DMARC checks whether at least one of the previous checks both passed AND matches the “From” address your recipient actually sees. This matching is what makes DMARC powerful — without it, a scammer could pass SPF using their own domain while spoofing yours in the visible “From” field. (The technical term for this matching is “alignment”.)
If DMARC fails, the recipient’s email provider follows your instructions: deliver anyway (monitor mode), send to spam (quarantine), or block it (reject). Either way, a report is sent to you so you can see what happened.
Why You Need All Three
SPF alone isn’t enough
A scammer can set up their own server with their own SPF record and still put your name in the “From” field that recipients see. SPF also breaks when email is forwarded. And you get no reports telling you what’s happening.
SPF + DKIM is better, but incomplete
Emails are signed and sender servers are checked — that’s good. But there’s no matching check against the “From” address (so spoofing the visible address is still possible), no reporting, and receivers decide on their own what to do with failures.
SPF + DKIM + DMARC = complete protection
Emails are verified AND matched against the visible “From” address. You control what happens when fakes are detected. You get reports showing you exactly who’s sending email as your domain — both legitimate and fraudulent.
A Real-World Example
Imagine you run acme.com and a scammer sends a phishing email pretending to be your CEO:
The fake email:
(actually sent from the scammer’s server)
Subject: Urgent wire transfer needed
What happens at each check:
- Guest list check (SPF): Is the scammer’s server on acme.com’s authorised list? → FAIL (not authorised)
- Seal check (DKIM): Does the email have a valid digital seal from acme.com? → FAIL (no seal, or wrong seal)
- Matching check (DMARC): Did either SPF or DKIM pass and match acme.com? → FAIL
- Your rules:
p=reject→ EMAIL BLOCKED 🚫
The phishing email never reaches your employee, customer, or supplier. And you get a report showing someone tried to impersonate your business.
Protect your domain with all three
Generate your DMARC record and start monitoring in under 5 minutes.