Ask three IT teams how email authentication works and you will get three half-answers and one shrug. SPF, DKIM, and DMARC sit at the heart of every modern email security strategy, and yet most companies that use them cannot clearly explain what each one actually does, where they overlap, and why having one or two is not enough.
This guide fixes that. By the end, you will understand exactly what each standard contributes, how they fit together, and the order in which you should deploy them — whether you are a CTO building an enterprise email strategy or a business owner trying to keep your domain off blocklists.
Why Three Standards Instead of One?
Email was designed in the early 1980s, long before anyone imagined billions of phishing attempts a day. The original SMTP protocol has no built-in way to verify who actually sent a message. Anyone, anywhere, can claim to be sending email from your domain, and the receiving server has no native way to call them a liar.
Rather than rewrite SMTP from scratch — an impossible task at internet scale — the industry solved the problem in layers. Each layer addresses a different weakness:
SPF answers the question, "Is this server allowed to send mail for this domain?"
DKIM answers the question, "Was this message actually sent by the domain it claims, and has it been tampered with?"
DMARC answers the question, "What should I do when SPF and DKIM disagree or fail, and how do I report what I'm seeing back to the domain owner?"
Each standard is necessary. None of them is sufficient on its own. Together, they form a layered defense that is now the global baseline for email trust.
SPF: The Guest List for Your Domain
SPF stands for Sender Policy Framework. It is a single DNS TXT record published at your domain that lists every server, IP range, and third-party service authorized to send email on your behalf.
When a receiving mail server gets a message claiming to be from [email protected], it looks up the SPF record at yourdomain.com and checks whether the sending IP appears on the approved list. If yes, the message passes SPF. If no, the message fails.
A typical SPF record looks something like this:
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 -allThat single line tells the world: Google's servers can send mail for us, SendGrid can send mail for us, our office IP can send mail for us, and anything else should be rejected (-all).
SPF is powerful because it is cheap to deploy and immediately closes the most basic spoofing vector: a random server on a random network pretending to be you. But SPF has two critical weaknesses that everyone needs to understand.
The first is that SPF breaks when mail is forwarded. When someone forwards your email through another server, the forwarding server's IP is not on your SPF list, so SPF fails — even though the original message was completely legitimate.
The second is that SPF only authenticates the technical envelope sender (the Return-Path address), not the From header that humans actually see. A clever attacker can pass SPF using their own throwaway domain while displaying your name in the From line. SPF alone cannot stop that — and this is exactly the gap that DMARC was created to close.
DKIM: The Tamper-Proof Seal
DKIM stands for DomainKeys Identified Mail. Instead of asking "is this IP allowed?", DKIM asks "can you prove you actually sent this, and that nobody changed it in transit?"
The mechanism is cryptographic. When you set up DKIM, you generate a public/private key pair. The private key lives on your sending server. The public key is published in DNS at a special selector like selector1._domainkey.yourdomain.com.
Every outgoing message is signed with the private key. The signature covers the message headers and body. The receiving server fetches the public key from your DNS, verifies the signature, and confirms two things: the message genuinely originated from a sender holding the private key, and the content has not been altered since it was signed.
DKIM survives forwarding gracefully — the signature travels with the message — which makes it strictly more robust than SPF in the modern email ecosystem where mail flows through gateways, security appliances, and forwarding rules constantly.
But DKIM also has a blind spot. By itself, DKIM does not require a message to be signed at all. An unsigned message simply has no DKIM result to evaluate. Worse, just like SPF, a passing DKIM signature does not have to match the visible From domain. An attacker can sign a forged email with their own domain's valid DKIM key and technically "pass" DKIM — while still impersonating you in the part the recipient actually reads.
This is the core problem: SPF and DKIM can each pass against the wrong domain. They prove authenticity for whoever signed or sent the message, but they do not enforce that the signer matches the visible sender. The result is a security theater where both checks pass and the message is still a forgery.
DMARC: The Policy and Visibility Layer
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is the layer that turns SPF and DKIM from a pair of partial signals into an enforceable policy backed by real intelligence.
DMARC does three things that SPF and DKIM cannot do on their own.
First, DMARC enforces alignment. It requires that the domain authenticated by SPF or DKIM matches the domain in the visible From header. Without alignment, an attacker passing SPF with attacker-domain.xyz while spoofing From: [email protected] would be invisible. With alignment, that mismatch causes an immediate DMARC failure.
Second, DMARC publishes a policy that tells receiving servers what to do when authentication fails. The three policies are p=none (monitor only), p=quarantine (send to spam), and p=reject (block outright). A domain at p=reject is functionally unspoofable by any receiver that honors DMARC — which today means virtually every major inbox provider in the world.
Third, DMARC provides reporting. The rua tag in your DMARC record causes every receiving server on the internet to send you daily XML reports summarizing every message that claimed to be from your domain — who sent it, from what IP, whether it passed authentication, and how many messages were involved. This visibility is the single most valuable security feature most domains have never turned on.
DMARC is not a replacement for SPF and DKIM. It is the supervisor sitting on top of them, deciding what to do when they pass, what to do when they fail, and reporting it all back to you. Deploy DMARC without SPF or DKIM and it has nothing to evaluate. Deploy SPF and DKIM without DMARC and the visible From line is still a free-for-all.
How the Three Work Together: A Walkthrough
Picture a message arriving at Gmail claiming to be from [email protected].
Gmail first checks SPF. It looks up the SPF record at yourdomain.com and asks: is the sending IP on the approved list? Let's say yes — SPF passes against yourdomain.com.
Next Gmail checks DKIM. It finds a DKIM signature in the message headers, fetches your public key from DNS, and verifies the signature. The signature is valid, and it was made by yourdomain.com's key — DKIM passes against yourdomain.com.
Now DMARC evaluates the situation. It checks alignment: do the authenticated domains (from SPF and DKIM) match the visible From domain? Yes — all three say yourdomain.com. DMARC passes. Gmail delivers the message to the inbox.
Now imagine the attacker scenario. An attacker sends a phishing message from a compromised server, forging From: [email protected]. SPF lookups happen against the attacker's actual sending domain and pass — but for the wrong domain. There is no DKIM signature from yourdomain.com. DMARC sees that neither SPF nor DKIM aligned with the visible From domain, looks up your DMARC policy of p=reject, and tells Gmail to drop the message. Your customer never sees the phishing attempt. You receive a DMARC report the next day showing the attempt was blocked. Total elapsed time: a few hundred milliseconds.
This is what email authentication looks like when it is working correctly. Three standards, one outcome: legitimate mail delivered, forged mail rejected, full visibility into both.
The Side-by-Side Comparison
It helps to see the three standards laid out against each other:
SPF authenticates the sending server. It is published as a DNS TXT record, is easy to deploy, and is universally supported. It breaks on forwarding and does not check the visible From address.
DKIM authenticates the message itself using cryptographic signatures. It is published as a DNS TXT record at a selector, requires configuration on the sending service, and survives forwarding. It also does not check the visible From address on its own.
DMARC authenticates the alignment between SPF/DKIM and the visible From address. It is published as a DNS TXT record at _dmarc.yourdomain.com, depends entirely on SPF and DKIM being in place first, and provides both enforcement policy and aggregate reporting.
The one-sentence summary: SPF says who can send, DKIM says the message is genuine, DMARC says what to do when they disagree and tells you what is happening on your domain.
Common Misconceptions
A few myths refuse to die.
"I have SPF, so I'm protected." You are protected against the most basic spoofing only. Without DMARC, attackers can still spoof your visible From line by passing SPF on their own domain.
"DKIM and SPF do the same thing." They do not. SPF authenticates the server; DKIM authenticates the message. Modern best practice is to deploy both because they each survive failure modes the other does not.
"DMARC is just for big companies." DMARC is now required by Gmail, Yahoo, and Microsoft for any sender pushing meaningful volume. It is also the simplest way for any business — large or small — to get reporting visibility into who is sending email on their behalf.
"Setting up SPF/DKIM/DMARC will break our email." It can — if you rush it. A staged rollout starting at p=none and gradually moving to p=reject makes the process safe and predictable. The risk is real but entirely manageable.
"We deployed this years ago, we're fine." Email infrastructure changes constantly. New SaaS tools, new sending IPs, expired DKIM keys, new subdomains — any of these can silently break authentication. Without ongoing monitoring, you are flying blind.
The Order to Deploy Them
If you are starting from scratch, the order matters.
First, audit your sending sources. Marketing tools, CRM, transactional mail provider, billing platform, helpdesk, HR systems, CI/CD notifications. Write them all down. Most teams undercount by a factor of two.
Second, deploy SPF. Build a single SPF record that includes every authorized sender. Watch out for the 10-DNS-lookup limit — exceed it and SPF breaks silently. SPF flattening tools exist specifically to handle this.
Third, deploy DKIM for each sending service. Each platform gives you a public key to publish in DNS at a unique selector. This takes the most coordination but is one-time work per service.
Fourth, publish DMARC at p=none. This is monitor-only mode. You start receiving aggregate reports immediately without affecting deliverability. Let it run for two to four weeks. Review the reports. Fix every legitimate sender that is failing alignment.
Fifth, move to p=quarantine with a small percentage (pct=10 is typical) and gradually ramp up over a few weeks while monitoring reports.
Sixth, reach p=reject with pct=100. Your domain is now effectively unspoofable.
The whole process takes six to twelve weeks depending on the complexity of your sending infrastructure. There is no shortcut, but there is also nothing exotic — every step is well-documented and well-supported.
What You Get When All Three Are in Place
A domain with SPF, DKIM, and DMARC fully deployed at enforcement looks different from one without. Phishing emails impersonating your brand stop reaching customers. Legitimate marketing and transactional mail land in inboxes instead of spam folders. You have a daily intelligence feed showing every IP on earth that has tried to send mail as you. Compliance frameworks like SOC 2, ISO 27001, and the new Google/Yahoo sender requirements stop being a fire drill and start being a checkbox.
You also reach a quieter benefit that does not show up in any report: your customers, partners, and employees can trust that an email claiming to be from your company actually is from your company. In an era when business email compromise is the largest single source of financial cybercrime loss, that trust is no small thing.
Where to Go From Here
If your domain has none of these three records today, publishing SPF and a p=none DMARC record this week will give you more visibility into your email infrastructure than you have ever had — at zero risk to deliverability. From there, the path to full enforcement is well-trodden and worth every hour invested.
If you already have all three, ask yourself two questions: Are my reports actually being collected and read by someone? And is my DMARC policy at p=reject, or am I still stuck at p=none years after I meant to graduate? The single most common pattern we see is domains that deployed everything correctly years ago, then quietly drifted into a state where the records exist but nobody is watching. That is worse than not deploying at all, because it creates a false sense of security.
SPF, DKIM, and DMARC are no longer optional. They are the baseline. The only question is whether your domain meets that baseline today or whether you wait until the incident to wish you had.
Stay in the loop
Get notified when we publish new email security insights.
