How do SPF, DKIM, and DMARC email authentication standards work?
Matthew Whittaker
Co-founder & CTO, Suped
Published 12 Aug 2025
Updated 19 Aug 2025
9 min read
Email is a fundamental part of modern communication, but its open nature makes it vulnerable to abuse. Spam, phishing, and spoofing are constant threats that can erode trust and harm brand reputation. To combat these issues, several email authentication standards have been developed. These protocols work together to verify sender identity and ensure message integrity, making it harder for malicious actors to impersonate legitimate senders.
Understanding how these standards function is crucial for anyone involved in email marketing or IT. Without proper implementation, your legitimate emails could end up in spam folders, or worse, your domain could be exploited by phishers. I often see organizations struggle with their email deliverability because they haven't fully grasped the interplay between these critical components.
In this guide, I will break down how Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) operate. I will explain their individual roles and, more importantly, how they collaborate to create a robust email authentication ecosystem. This knowledge is essential for ensuring your emails reach their intended recipients and maintaining a strong sender reputation.
Sender Policy Framework, or SPF, is like a list of authorized mail carriers for your domain. It allows a domain owner to specify which mail servers are permitted to send email on behalf of their domain. This information is published in the Domain Name System (DNS) as a TXT record. When a receiving mail server gets an email, it checks the SPF record of the sending domain to see if the sending IP address is on the approved list.
If the sending IP is not authorized, the email may be flagged as suspicious, put in the junk folder, or even rejected outright. This helps prevent spammers and phishers from sending emails that appear to come from your domain, a common tactic known as email spoofing. The SPF record specifies permitted sending hosts and the action to take if a host is not listed.
The SPF record typically includes a version (e.g., v=spf1), a list of authorized IP addresses or mechanisms to include other domains' SPF records, and a qualifier that dictates the action for unauthorized senders. For example, -all means a hard fail (reject), while ~all indicates a soft fail (accept but mark as suspicious).
DomainKeys Identified Mail, or DKIM, adds a layer of cryptographic authentication to your emails. While SPF checks the sender's IP address, DKIM focuses on the integrity of the message itself and verifies that the email was indeed sent by the authorized domain and that its content hasn't been tampered with in transit. It's like a digital signature on your email.
Here's how it works: when an email is sent, the sending mail server generates a unique digital signature for the message's headers and body. This signature is then attached to the email header. The sending domain's DNS records contain a public key, which corresponds to a private key used to generate the signature. The receiving mail server retrieves this public key from the DNS and uses it to decrypt the signature and verify its authenticity. If the signature matches, the email is considered legitimate and untampered.
DKIM verification is critical because it helps prevent phishing and spoofing where the sender's IP might be legitimate, but the email content is malicious or altered. It's especially useful when emails are forwarded, as SPF can break in such scenarios. For more on DKIM, you can check out this detailed explanation by Cloudflare.
Example DKIM record
selector1._domainkey.yourdomain.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn8r..."
DMARC: The orchestrator
DMARC, or Domain-based Message Authentication, Reporting, and Conformance, ties SPF and DKIM together, providing a comprehensive framework for email authentication. It allows domain owners to specify how receiving mail servers should handle emails that fail SPF or DKIM checks, and it provides valuable feedback through aggregated reports.
The key concept in DMARC is alignment. For an email to pass DMARC, either its SPF or DKIM authentication must pass, AND the domain used in the authentication (the Return-Path domain for SPF, or the d= tag for DKIM) must align with the From: (header) domain visible to the user. This alignment requirement is what makes DMARC so powerful in preventing direct domain spoofing.
A DMARC record, also published as a DNS TXT record, defines the policy for how unauthenticated emails should be handled. There are three main policies: p=none (monitor, no action taken), p=quarantine (deliver to spam/junk), and p=reject (do not deliver at all). The policy is applied based on the percentage of messages specified in the DMARC record (the pct tag). You can learn more about these policies and their effects in our guide on safely transitioning your DMARC policy.
DMARC also enables reporting, sending XML-formatted aggregate reports and forensic reports (if enabled) to the email addresses specified in the record. These reports provide invaluable insights into who is sending email on behalf of your domain, including legitimate and fraudulent activity. Analyzing these reports is key to understanding your email ecosystem and evolving your DMARC policy effectively. You can also explore our free DMARC record generator tool to create your records.
Individually, SPF and DKIM provide important checks. SPF verifies the sender's identity based on their IP address, acting as a gatekeeper for who can send mail. DKIM ensures the message content remains unchanged and the sender's identity is cryptographically signed. Together, these protocols significantly enhance email security. However, their true power is unlocked when combined with DMARC.
DMARC acts as the policy layer. It tells receiving servers what to do if an email fails authentication checks, whether to allow it, send it to spam, or reject it entirely. This is crucial for protecting your brand against impersonation and phishing attacks. The reports DMARC generates provide visibility into your email sending ecosystem, allowing you to identify unauthorized sending sources and adjust your configurations as needed. Without DMARC, even if SPF and DKIM are set up, receiving servers have no explicit instructions on how to handle failed emails, which can lead to inconsistent deliverability or missed spoofing attempts. If you want to know more about this, check out our guide on why DMARC authentication fails even when SPF and DKIM pass.
For domains that don't send emails at all, implementing a DMARC policy of p=reject with a null MX record is a strong security measure. It explicitly tells receiving mail servers that no mail should ever originate from this domain, and any received mail should be rejected. This is a powerful way to prevent your domain from being used in phishing or spam campaigns. Our article on the benefits of implementing DMARC covers this in more detail. Furthermore, Google and Yahoo's new sender requirements for 2024 emphasize the importance of these authentication protocols, making their proper setup non-negotiable for high deliverability. This also applies if your domain has been added to a email blacklist (or blocklist).
The full authentication picture
How SPF, DKIM, and DMARC work
SPF (Sender Policy Framework): Specifies which mail servers are authorized to send email on behalf of a domain using a DNS TXT record. Receiving servers check if the sending IP is approved.
DKIM (DomainKeys Identified Mail): Adds a digital signature to emails to verify sender authenticity and ensure message integrity using cryptographic keys in DNS.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): Builds on SPF and DKIM by defining policies for handling unauthenticated emails and providing reporting on authentication results.
Before DMARC
Receiving servers determine email fate independently. Even with SPF and DKIM, there's no clear policy for handling authentication failures. This leads to inconsistent deliverability, with some legitimate emails ending up in spam folders due to ambiguous instructions, and spoofed emails potentially reaching inboxes. There is also a lack of visibility into unauthorized use of your domain.
After DMARC implementation
Domain owners set clear policies (e.g., quarantine, reject) for emails that fail authentication. This enhances security against phishing and spoofing. DMARC also provides aggregated reports, offering insight into email sending activity across all senders using your domain. This allows for continuous monitoring and refinement of your email authentication setup.
Implementing SPF, DKIM, and DMARC is not just a technical formality, it's a strategic necessity for email deliverability and security. These standards work hand-in-hand to verify sender identity, ensure message integrity, and provide domain owners with control over how unauthenticated emails are handled. By properly configuring and monitoring these records, you significantly reduce the risk of your domain being spoofed, improve your sender reputation, and ensure that your emails consistently reach the inbox. Staying proactive with these protocols is crucial for maintaining trust and protecting your brand in the digital landscape.
Views from the trenches
Best practices
Always start with DMARC in p=none (monitoring mode) to gather data before enforcing policies.
Ensure SPF records include all legitimate sending IPs and services to avoid false negatives.
Verify DKIM signatures are correctly generated and the public key is published in DNS.
Regularly review DMARC reports to identify legitimate sending sources and unauthorized activity.
Gradually move DMARC policies to quarantine, then reject, once you are confident in your configuration.
Common pitfalls
Forgetting to update SPF records when adding new email sending services, leading to authentication failures.
Not setting up DMARC, leaving your domain vulnerable to spoofing even with SPF and DKIM.
Having too many SPF lookups (over 10) can cause validation issues and email delivery problems.
Failing to renew DKIM keys or using incorrect selectors can break authentication.
Ignoring DMARC reports means missing critical insights into email deliverability and abuse.
Expert tips
Use a DMARC monitoring service to simplify report analysis and quickly identify issues.
Consider subdomain separation for different email types (e.g., transactional, marketing) to isolate reputation.
Implement a consistent 'From' address across all sending services for DMARC alignment.
Be aware that some mailbox providers, like Microsoft, may interpret DMARC policies differently.
Set a null MX record for domains that do not send or receive email to clearly indicate their purpose.
Expert view
Expert from Email Geeks says they learned the technical aspects of email by reading resources that excel at breaking down complex concepts into understandable terms.
2021-06-24 - Email Geeks
Marketer view
Marketer from Email Geeks explains SPF as a list of authorized postmen for your letters. If a postman isn't on the list, the receiver becomes cautious, with the level of caution depending on the SPF record's qualifier.
2021-06-25 - Email Geeks
Key takeaways
Mastering SPF, DKIM, and DMARC is fundamental for anyone serious about email deliverability and security. These authentication standards are your first line of defense against cyber threats and a cornerstone of a healthy sender reputation. By understanding their individual roles and how they work in concert, you empower your domain to send trustworthy emails and protect your brand from imposters.
Implementing these protocols correctly, especially DMARC, provides invaluable visibility into your email ecosystem, allowing you to identify and mitigate risks. As the email landscape continues to evolve, with stricter authentication requirements from major mailbox providers, having a robust SPF, DKIM, and DMARC setup is no longer optional, it’s essential for reaching the inbox reliably.
