Summary
The consensus from experts, marketers, and documentation is that the correct order is SPF, then DKIM, and finally DMARC. SPF authenticates the sender's IP address. DKIM verifies the message's integrity. DMARC leverages the results of SPF and DKIM to enforce policies on how to handle emails that fail authentication. Though DMARC typically relies on both SPF and DKIM, it is possible to pass DMARC validation if SPF passes, even without DKIM validation.
Key findings
- SPF: Sender Authentication: SPF authenticates the sending mail server's IP address, verifying that the sender is authorized to send emails on behalf of the domain.
- DKIM: Message Integrity: DKIM verifies the message's integrity by using a digital signature, ensuring the content hasn't been altered during transit.
- DMARC: Policy Enforcement: DMARC leverages the results of SPF and DKIM to enforce policies on how recipient mail servers should handle unauthenticated messages, providing instructions to quarantine or reject them.
- DMARC Dependence: DMARC relies on SPF and DKIM, so they must be implemented and correctly configured for DMARC to function properly.
- Possible DMARC Exception: It is possible to pass DMARC without DKIM validation, if SPF passes
Key considerations
- Prioritize SPF and DKIM: Focus on implementing and properly configuring SPF and DKIM before deploying DMARC.
- Policy Definition: Define clear DMARC policies (none, quarantine, reject) to instruct recipient servers on how to handle emails that fail authentication.
- Security Enhancement: By properly implementing SPF, DKIM, and DMARC, enhance email security and prevent domain spoofing and phishing attacks.
- Expert Vendor: Get a expert to make sure the vendor implements SPF, DKIM and DMARC correctly.
What email marketers say
6 marketer opinions
The consensus is that SPF and DKIM checks precede DMARC checks. SPF authenticates the sender's IP address, DKIM verifies the message's integrity via a digital signature, and DMARC leverages the results of SPF and DKIM to enforce policies regarding authentication failures, informing the recipient server how to handle such messages.
Key opinions
- SPF Authentication: SPF validates the sending mail server's IP address.
- DKIM Verification: DKIM verifies the message's integrity using a digital signature, ensuring the content hasn't been altered during transit.
- DMARC Policy Enforcement: DMARC builds upon SPF and DKIM, dictating how recipient mail servers should handle messages that fail either SPF or DKIM authentication. It provides a policy for handling authentication failures and reporting mechanisms.
- DMARC builds on SPF/DKIM: DMARC needs SPF and DKIM to be in place first, before DMARC can actually work.
Key considerations
- Implementation Order: Implement SPF and DKIM before implementing DMARC to ensure proper email authentication.
- Vendor Expertise: Ensure your email service provider or IT vendor understands the correct order and functionality of SPF, DKIM, and DMARC to avoid misconfigurations.
- Authentication Failure Handling: DMARC policies determine what happens when SPF and DKIM checks fail, options include rejecting, quarantining, or accepting messages. Setting DMARC to 'none' means that no actions are taken.
Marketer view
Email marketer from Proofpoint notes that, conceptually, SPF and DKIM need to be evaluated first to generate an authentication result that DMARC can then act upon, dictating how to treat the message. They didn't specify the order but the order is implicit.
4 Nov 2021 - Proofpoint
Marketer view
Email marketer from Reddit explains that first SPF should check the senders IP, then DKIM will verify if the message has been tampered with, then DMARC builds upon these protocols and checks for alignment, only after these verifications will DMARC define what happens to emails that fail authentication.
12 Sep 2022 - Reddit
What the experts say
5 expert opinions
The experts agree that the order is SPF first, followed by DKIM, and lastly DMARC. SPF is checked at the connection level and authenticates the sender. DKIM validates the message's content integrity after the data has been transmitted. DMARC builds upon SPF and DKIM, providing policies for how to handle messages that fail authentication. It's also possible to pass DMARC without DKIM if SPF passes.
Key opinions
- SPF First: SPF is checked at the connection level and authenticates the sender's IP address.
- DKIM Second: DKIM verifies that the message content hasn't been altered and is checked after the data is transmitted.
- DMARC Last: DMARC builds upon SPF and DKIM, specifying how email receivers should handle messages that fail authentication and provides reporting.
- DMARC Flexibility: It is possible to pass DMARC without validating DKIM if SPF passes.
Key considerations
- Implementation Order: Implement SPF and DKIM before implementing DMARC to ensure proper email authentication.
- Security Enhancement: DMARC enhances email security by providing instructions to recipient mail servers on how to deal with unauthenticated messages.
- Understanding Dependencies: DMARC relies on the successful implementation and validation of SPF and DKIM to function effectively.
Expert view
Expert from Email Geeks explains that SPF can be checked at connection, before data is transmitted. DKIM MUST be checked after data, and DMARC cannot be checked until after the data is transmitted and DKIM is checked.
12 Dec 2023 - Email Geeks
Expert view
Expert from Spamresource explains that DMARC builds on SPF and DKIM to enhance security. It provides a policy that tells recipient mail servers what to do with messages that fail SPF and DKIM checks, and gives a reporting mechanism.
16 May 2024 - Spamresource
What the documentation says
4 technical articles
The documentation consistently states that SPF and DKIM are prerequisites for DMARC. SPF authenticates the sending server, DKIM verifies the integrity of the message, and DMARC uses the results of these checks to enforce policies regarding unauthenticated email.
Key findings
- SPF Authentication: SPF validates the sending mail server's IP address.
- DKIM Verification: DKIM verifies the integrity of the message's content.
- DMARC Policy: DMARC relies on SPF and DKIM results to dictate how recipient mail servers should handle unauthenticated messages.
- Interdependence: SPF and DKIM must be correctly configured for DMARC to function effectively.
Key considerations
- Proper Configuration: Ensure SPF and DKIM are properly configured before implementing DMARC.
- Policy Enforcement: Understand and configure DMARC policies to specify how unauthenticated emails should be handled (e.g., quarantine, reject).
- Sender Reputation: Implementing SPF, DKIM, and DMARC helps maintain sender reputation and improves email deliverability.
Technical article
Documentation from Google explains that DMARC leverages SPF and DKIM to determine the authenticity of an email. It specifies how recipient mail servers should handle messages that fail SPF and DKIM checks.
23 Jun 2023 - Google
Technical article
Documentation from AuthSMTP answers states that when an email is sent, SPF checks the sender's IP address, DKIM verifies the message's digital signature, and DMARC uses the results of both to enforce policies and provide feedback.
28 Dec 2021 - AuthSMTP
Are SPF, DKIM, and DMARC as important in B2B as in B2C email marketing?
Are SPF, DKIM, and DMARC records necessary for transactional email servers not used for marketing?
Do SPF and DKIM records need to be aligned for all email service providers?
How do SPF, DKIM, and DMARC affect email deliverability with Cvent?
How do SPF, DKIM, and DMARC email authentication standards work?
How should DMARC, SPF, and DKIM records be configured for domains that do not send email?
