What is the correct order for SPF, DKIM, and DMARC checks?

Key findings

• Variability: The precise order of SPF and DKIM evaluation can differ per recipient server, with some checking SPF at the connection level and others processing both in tandem or in a slightly different sequence.
• DMARC dependency: DMARC always follows SPF and DKIM checks. It requires their authentication results (and alignment) to decide the email's fate, applying the specified policy.
• Pre-data SPF: SPF checks can occur very early in the email transaction, particularly if an SPF policy with a -all mechanism is in place, potentially leading to quicker rejections at the SMTP connection phase.
• Post-data DKIM and DMARC: Both DKIM and DMARC necessitate the full email content (headers and body) for validation, meaning they cannot be fully processed until after the DATA command in the SMTP conversation.
• Alignment is key: DMARC's effectiveness hinges on the alignment between the domain in the From: header and the domains validated by SPF or DKIM. One passing and aligning is sufficient for DMARC to pass.
• Setup vs. check order: While the setup order for these records typically recommends SPF first, then DKIM, then DMARC, this does not dictate the message arrival checking order. For setup best practices, see this simple guide to SPF, DKIM, DMARC.

Key considerations

• Recipient server behavior: Mailbox providers (MBPs) might implement their checks differently for optimization or specific security policies. Some may use a mailstream analysis that pre-determines authentication outcomes based on historical data.
• SPF -all vs other mechanisms: An SPF -all mechanism (hardfail) can lead to quicker rejections at the SMTP connection phase if the sending IP is not authorized, potentially bypassing further checks.
• DMARC’s role: DMARC's primary function is to instruct recipient servers on how to handle emails that fail SPF or DKIM authentication while also aligning with the organizational domain. This is why it processes last. Learn more about how DMARC works.
• Reputation building: Even if SPF passes for DMARC alignment, ensuring DKIM also passes and aligns is crucial for maintaining a strong sender reputation and improving overall email deliverability.
• Configuration complexity: Incorrect configuration, such as multiple SPF records, can break authentication and impact deliverability. Ensuring best practices for SPF, DKIM, and DMARC is essential.

Key opinions

• DMARC’s sequential role: Marketers frequently acknowledge that DMARC is inherently dependent on SPF and DKIM, meaning it must be checked after them.
• Vendor misinformation: A common challenge is dealing with IT vendors or internal teams who provide incorrect information, such as insisting DMARC is checked first, or that both SPF and DKIM must always align. This misunderstanding can lead to significant deliverability issues.
• DNS record challenges: There's widespread frustration with the complexity of DNS record management, especially concerning SPF. Incorrectly adding multiple SPF records instead of merging them is a frequent error. Learn how to verify your SPF, DKIM, and DMARC setup.
• Impact of new requirements: Recent changes from major mailbox providers have highlighted a general lack of in-depth knowledge among some deliverability experts and DNS managers, leading to more widespread configuration issues for end-users.
• Simplified explanation needed: Marketers often seek straightforward explanations to counter complex or inaccurate technical advice from others.

Key considerations

• Educating stakeholders: It is crucial for marketers to be able to explain the correct sequence and dependencies of SPF, DKIM, and DMARC to internal teams and external vendors to prevent misconfigurations that impact email delivery.
• Proactive DNS management: Marketers should adopt proactive strategies for managing DNS records, including understanding how to merge SPF records rather than creating new ones. Our guide on record placement can help.
• Validation tools: Utilizing reliable tools to check SPF, DKIM, and DMARC configurations is essential to ensure they are set up correctly and consistently interpreted by receiving servers.
• Monitoring and reporting: Regularly monitoring DMARC reports (RUA and RUF) provides insight into how various mailbox providers are processing your email authentication, helping to identify and resolve issues even if the initial check order is opaque. See more on DMARC monitoring.
• Understanding alignment: A key takeaway for marketers is that DMARC requires at least one of SPF or DKIM to pass AND align with the 'From' domain. This means both don't necessarily need to pass if one satisfies the alignment requirement.

Key opinions

• No universal order for SPF/DKIM: Experts agree that the exact sequence for SPF and DKIM checks can vary among recipient servers, meaning it's not a rigid, linear process.
• DMARC always last: The one certainty is that DMARC processing occurs only after SPF and DKIM have been evaluated, as DMARC depends on their results for policy decisions.
• Pre-DATA SPF: SPF can be checked at the connection stage or pre-data, enabling early rejection for certain configurations (e.g., -all mechanism).
• Post-DATA DKIM and DMARC: DKIM and DMARC, by their nature, require the full email content and are therefore checked after the DATA command.
• Mailstream analysis: Some systems don't strictly follow a linear check. Instead, they analyze the mailstream, potentially knowing authentication outcomes based on sender IP and return path before a full, step-by-step verification.
• Importance of DKIM: While SPF passing can satisfy DMARC, DKIM is vital for maintaining domain-based reputation statistics, making its proper validation important even if SPF satisfies DMARC requirements.

Key considerations

• Consequences of misinformation: Incorrect understanding of SPF, DKIM, and DMARC, especially concerning their processing order, can lead to dangerous and ineffective email authentication setups, impacting deliverability. For troubleshooting, see how to troubleshoot SPF and DMARC settings.
• DNS UI improvements: There's a strong call for DNS administration interfaces to be smarter, preventing conflicting records (like multiple SPF records) and assisting users with proper syntax, such as handling quotes.
• Automated configuration: The complexity has spurred the development of automated tools that can detect DNS providers, authenticate, and configure records, or generate precise instructions for IT teams.
• Aligning for reputation: Even if DMARC only requires one method (SPF or DKIM) to align, configuring both correctly and ensuring alignment is a best practice for robust domain reputation and avoiding deliverability issues.
• Continuous learning: The evolving landscape of email authentication, driven by updates from major mailbox providers, necessitates continuous learning to stay current and implement effective strategies.

Key findings

• SPF's early role: RFC 7208 (SPF) describes SPF evaluation as happening during the SMTP MAIL FROM or HELO/EHLO stages, potentially allowing for immediate rejections.
• DKIM's message integrity role: RFC 6376 (DKIM) specifies that the DKIM signature encompasses parts of the message header and body, requiring the full message content for verification, which happens post-data.
• DMARC's reliance: RFC 7489 (DMARC) explicitly states that DMARC processes the results of SPF and DKIM to determine email authenticity and apply policy. This makes DMARC a post-authentication mechanism.
• Alignment requirement: DMARC mandates that either SPF or DKIM, or both, must not only pass authentication but also align with the organizational domain found in the From: header field.
• Policy application: Once DMARC determines the authentication status based on SPF and DKIM, it then applies the sender's defined policy (p=none, p=quarantine, or p=reject).

Key considerations

• Interoperability: While RFCs define the mechanisms, their precise order of execution can be optimized by recipient servers for performance and security, as long as the logical dependencies are met. This is part of how email authentication standards work.
• Robust implementation: Documentation encourages senders to implement both SPF and DKIM for resilience, as an email might fail one authentication method (e.g., SPF due to forwarding) but still pass the other, ensuring DMARC passes.
• Report analysis: DMARC's reporting functionality (RUA and RUF) provides critical feedback on how receiving servers are processing authentication results and policy application, serving as the ultimate arbiter of success.
• Continual evolution: The RFCs and related best practice documents are regularly updated, requiring administrators to stay informed about changes that may affect implementation and checking order nuances.