Summary
Experts, marketers, and technical documentation all agree that DMARC leverages SPF by checking the MAIL FROM (Return-Path) domain, not the HELO. While SPF has its place, DKIM is overwhelmingly considered more robust and crucial for email authentication, especially in scenarios involving message forwarding. DKIM's cryptographic signatures ensure authentication integrity, making it a more reliable choice for long-term deliverability and preventing emails from being marked as spam. Senders with dedicated IPs can benefit from focusing on SPF, but DKIM remains paramount for most use cases.
Key findings
- SPF Domain Focus: DMARC uses the MAIL FROM (Return-Path) domain for SPF authentication.
- DKIM Superiority: DKIM is considered more robust and reliable than SPF due to its cryptographic signatures and resilience to forwarding.
- Forwarding Impact: SPF breaks when messages are forwarded, while DKIM remains valid, making it essential for maintaining authentication.
- Spam Prevention: Implementing DKIM is one of the best ways to prevent emails from being marked as spam.
Key considerations
- Prioritize DKIM Implementation: Focus on implementing and properly configuring DKIM for optimal email deliverability.
- MAIL FROM Setup: Ensure accurate setup of SPF records using the MAIL FROM domain.
- Forwarding Scenarios: Prioritize DKIM if your emails are frequently forwarded or handled by mailing lists.
- Dedicated IPs: Senders with dedicated IPs may find SPF more beneficial, but DKIM should still be implemented for comprehensive authentication.
- Continuous Monitoring: Regularly monitor both SPF and DKIM records to ensure ongoing email authentication success.
What email marketers say
8 marketer opinions
The consensus among email marketers is that DMARC checks should focus on the MAIL FROM domain for SPF, not HELO. While SPF is important, DKIM is generally considered more crucial for long-term email deliverability. DKIM's cryptographic signatures provide stronger authentication, especially when messages are forwarded. However, SPF remains relevant, particularly for senders with dedicated IPs.
Key opinions
- SPF Domain: DMARC relies on the MAIL FROM domain for SPF checks, not the HELO identity.
- DKIM Priority: DKIM is generally considered more important than SPF due to its resilience to forwarding.
- DKIM Strength: DKIM provides stronger authentication through cryptographic signatures.
- SPF Fragility: SPF can break when messages are forwarded, impacting its reliability.
Key considerations
- Dedicated IP: If using a dedicated sending IP, focusing on SPF is particularly beneficial.
- Forwarding: For scenarios involving message forwarding, prioritize DKIM for authentication.
- Alignment: Ensure the MAIL FROM domain aligns with the From: header for optimal DMARC compliance.
- Long-term Deliverability: Focusing on DKIM improves long-term email deliverability and sender reputation.
Marketer view
Email marketer from Postmark explains the key differences between SPF, DKIM and DMARC - it highlights how SPF can break when a message is forwarded as the return path changes. DKIM remains valid due to it's signature.
19 Apr 2022 - Postmark
Marketer view
Email marketer from Proofpoint responds that while both SPF and DKIM are important, DKIM offers stronger authentication due to its cryptographic signing, which survives forwarding. SPF is still useful but is more fragile.
30 Sep 2023 - Proofpoint
What the experts say
4 expert opinions
Experts agree that DMARC leverages SPF by checking the MAIL FROM (Return-Path) domain, not the HELO. DKIM is considered more essential for authentication, especially with message forwarding, as it remains valid while SPF often breaks. Therefore, senders should prioritize DKIM.
Key opinions
- SPF & DMARC: DMARC checks SPF using the MAIL FROM (Return-Path) domain.
- DKIM Importance: DKIM is considered more important than SPF for reliable authentication.
- Forwarding Impact: SPF breaks when messages are forwarded, making DKIM a better choice for ensuring authentication across the board.
- DKIM Robustness: DKIM relies on cryptographic signatures, making it more robust than SPF.
Key considerations
- Prioritize DKIM: Senders should prioritize implementing and maintaining DKIM.
- MAIL FROM Alignment: Ensure correct setup and alignment of SPF using the MAIL FROM domain.
- Forwarding Scenarios: Focus on DKIM if your messages are frequently forwarded.
- SPF Limitations: Recognize the limitations of SPF, especially with forwarding.
Expert view
Expert from Spam Resource responds that DKIM is essential when messages are forwarded, as this often breaks SPF. Senders should focus on DKIM if they want to ensure their messages are authenticated across the board.
1 Oct 2022 - Spam Resource
Expert view
Expert from Email Geeks explains that the SPF RFC says to use HELO and return-path, but the DMARC RFC states that the HELO SPF identity is "not typically used in the context of DMARC". Therefore, alignment with and SPF pass of the return-path is what's important in DMARC.
11 May 2025 - Email Geeks
What the documentation says
5 technical articles
Technical documentation consistently indicates that DMARC leverages SPF by verifying the MAIL FROM (Return-Path) domain rather than the HELO identity. Furthermore, DKIM is highlighted as a more robust authentication method than SPF due to its use of cryptographic signatures, which are resistant to forwarding-related failures. Consequently, DKIM is deemed crucial for improving email deliverability and preventing messages from being marked as spam.
Key findings
- SPF Domain: DMARC uses the MAIL FROM (Return-Path) domain for SPF authentication.
- DKIM Robustness: DKIM is more robust than SPF because its cryptographic signatures withstand forwarding.
- DKIM Importance: DKIM is essential for preventing emails from being marked as spam.
- SPF Limitation: SPF is susceptible to forwarding issues that can break authentication.
Key considerations
- Prioritize DKIM: Focus on implementing and properly configuring DKIM for optimal deliverability.
- MAIL FROM: Ensure correct setup of SPF records using the MAIL FROM domain.
- Forwarding Resilience: Rely on DKIM to maintain authentication integrity in scenarios involving email forwarding.
- Combined Approach: While DKIM is emphasized, SPF should not be entirely neglected; use both for a comprehensive email authentication strategy.
Technical article
Documentation from dmarc.org explains that DMARC uses the domain in the RFC5322.MailFrom header field (also known as the envelope sender or Return-Path) for SPF authentication, not the HELO identity. This is because the RFC5322.MailFrom domain is considered more reliable for identifying the actual sender.
15 May 2024 - dmarc.org
Technical article
Documentation from Microsoft shares that using DKIM is one of the best ways to ensure emails are not marked as spam. DKIM passes even when a message is forwarded. SPF is recommended but by itself is not sufficient.
20 Dec 2024 - Microsoft
Can I use DMARC with shared IP addresses?
Do Yahoo and Gmail require DMARC authentication for senders?
How can I use DMARC to prevent spammers from using my domain?
How do SPF, DKIM, and DMARC affect email deliverability with Cvent?
How do SPF, DKIM, and DMARC email authentication standards work?
What are SPF, DKIM, and DMARC, and when are they needed?
