Email authentication uses three protocols working together. Each solves a different problem, and all three are necessary for complete protection. Understanding how they differ helps you implement them correctly.
Quick Comparison
| Protocol | What It Does | Where It Lives | What It Checks |
|---|---|---|---|
| SPF | Authorizes sending servers | DNS TXT record at domain root | Sending IP address |
| DKIM | Signs messages cryptographically | DNS TXT record + email header | Message integrity |
| DMARC | Sets policy for failures | DNS TXT record at _dmarc subdomain | SPF/DKIM alignment |
SPF: Authorizing Sending Servers
SPF (Sender Policy Framework) answers one question: Is this server allowed to send email for this domain?
You publish a list of authorized IP addresses in your DNS. When a receiving server gets an email claiming to be from your domain, it checks whether the sending IP appears in your SPF record.
What SPF Checks
- The IP address of the server that delivered the message
- The domain in the Return-Path (envelope sender)
What SPF Does Not Do
- Verify message content has not been modified
- Check the visible From address (what recipients see)
- Tell receivers what to do when SPF fails
DKIM: Proving Message Authenticity
DKIM (DomainKeys Identified Mail) proves that the message content is authentic and unchanged.
Your mail server adds a cryptographic signature to each message using a private key. The corresponding public key is published in DNS. Receivers can verify the signature to confirm the message was authorized and has not been altered.
What DKIM Checks
- The cryptographic signature matches the message content
- The public key is available in DNS
- Specific headers and the message body have not been modified
What DKIM Does Not Do
- Verify the sending server is authorized
- Prevent signature breakage from message modification
- Tell receivers what to do when DKIM fails
DMARC: Policy and Reporting
DMARC (Domain-based Message Authentication, Reporting and Conformance) solves two problems that SPF and DKIM leave open:
- Policy: What should receivers do when authentication fails?
- Alignment: Does the authenticated domain match the visible From address?
DMARC requires that at least one of SPF or DKIM passes AND aligns with the From header domain. This prevents attackers from passing SPF or DKIM with their own domains while spoofing yours in the From address.
What DMARC Adds
- A policy (none, quarantine, reject) for handling failures
- Alignment requirements connecting authentication to the visible sender
- Reporting so you can monitor authentication results
How They Work Together
Consider this scenario: You send an email from your marketing platform.
- SPF Check: The receiving server looks up your SPF record and verifies the marketing platform's IP is authorized. SPF passes.
- DKIM Check: The server finds your DKIM signature, retrieves your public key from DNS, and verifies the signature is valid. DKIM passes.
- DMARC Check: The server confirms that either the SPF domain or DKIM signing domain aligns with the From header. Since both pass and align, DMARC passes.
If any check fails or alignment is missing, DMARC applies your published policy.
Why All Three Matter
SPF alone can be bypassed by spoofing the visible From address. DKIM alone can break when messages are forwarded. DMARC ties them together and adds the alignment check that makes the authentication meaningful to recipients.
Requirements for Bulk Senders
Gmail, Yahoo, and Microsoft now require all three protocols for bulk senders:
| Provider | SPF | DKIM | DMARC |
|---|---|---|---|
| Gmail (5,000+/day) | Required | Required | Required (p=none minimum) |
| Yahoo (bulk senders) | Required | Required | Required (p=none minimum) |
| Microsoft (high volume) | Required | Required | Required |
Implementation Order
If you are starting from scratch, implement in this order:
- SPF first: Identify all sending sources and publish your SPF record
- DKIM second: Configure signing for all sending sources and publish public keys
- DMARC last: Start with p=none to monitor, then tighten policy over time
This order matters because DMARC depends on SPF and DKIM being configured correctly. Implementing DMARC before fixing authentication issues causes legitimate mail to fail.
Common Misunderstandings
"SPF checks the From address"
SPF checks the Return-Path (envelope sender), not the visible From address. These are often different, especially when using third-party sending services.
"DKIM prevents email modification"
DKIM detects modification but does not prevent it. If a message is modified after signing (by a mailing list, for example), the signature becomes invalid.
"DMARC replaces SPF and DKIM"
DMARC depends on SPF and DKIM. It adds policy and alignment checking but does not replace the underlying authentication protocols.
"p=none means DMARC is not working"
p=none is a valid DMARC policy that enables reporting without affecting delivery. It is the required starting point for safe DMARC implementation.