Yes, DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) are two distinct email authentication methods that can and do work independently of each other. They are published as separate records in your DNS and are designed to validate different aspects of an email's origin. An email can pass one check without passing the other.
However, while they are technically independent, the reality of modern email security is that they are designed to be used together, ideally under the umbrella of a DMARC policy. Let's break down how each one works on its own before looking at how they combine.
What is SPF?
SPF, or Sender Policy Framework, is an email authentication standard that allows a domain owner to specify which mail servers (identified by their IP addresses) are authorized to send email on behalf of their domain. This is done by creating a special TXT record in the domain's DNS.
When an email is received, the recipient's mail server can look up the SPF record for the sending domain. It then checks if the IP address of the server that sent the email is on that authorized list. If it is, the email passes the SPF check. If not, it fails. A major drawback of SPF is that it can break when an email is forwarded, as the forwarding server's IP address will likely not be in the original sender's SPF record.
What is DKIM?
DKIM, or DomainKeys Identified Mail, takes a different approach. Instead of authorizing IP addresses, DKIM provides a way to verify that an email was actually sent by the claimed domain and that its content has not been altered in transit. It works by adding a digital signature to the email's headers.
This signature is generated using a private key kept on the sending mail server. The corresponding public key is published in a DNS record for the domain. The receiving server can fetch this public key to verify the signature. Since the signature is part of the email itself, DKIM signatures typically survive forwarding, which makes it a more resilient authentication method than SPF.
Independent but stronger together with DMARC
As established, you can use DKIM or SPF on its own, and you don't technically need one to implement the other. The challenge with using them in isolation is that they don't tell the receiving mail server what to do if a check fails. This is where DMARC comes in.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy layer that unifies SPF and DKIM. By publishing a DMARC record, you can instruct receiving servers on how to handle emails that fail authentication. More importantly, DMARC introduces the concept of "alignment".
- DMARC pass: For an email to pass DMARC, it must pass either SPF or DKIM.
- Alignment: The domain in the email's "From:" header (the one the recipient sees) must match the domain verified by the passed SPF or DKIM check. This prevents a common type of spoofing where an email passes SPF or DKIM for a different, malicious domain.
This framework is why, despite their independence, SPF and DKIM are almost always discussed together. They are the foundational pillars upon which DMARC is built, and implementing all three is the modern standard for securing your email and ensuring deliverability.
Final thoughts
So, does DKIM work independently of SPF? Absolutely. But the real question is whether you should use them independently. The answer to that is a firm no. For robust protection against phishing, spoofing, and other email-based threats, you need SPF and DKIM working together under a DMARC policy. This combination ensures your legitimate emails are trusted by receivers and malicious emails using your domain are blocked.
