Overview
SPF and DKIM are two complementary email authentication mechanisms that address different attack vectors. SPF answers the question "Did this email come from an authorized server?" while DKIM answers "Was this message tampered with in transit?" Both are required for a complete DMARC implementation.
How SPF Works
Sender Policy Framework (SPF) works at the network level. You publish a DNS TXT record on your domain that lists the IP addresses and hostnames authorized to send email on your behalf. When a receiving mail server gets an email claiming to be from your domain, it checks the sending server's IP against your SPF record. If the IP isn't listed, SPF fails.
SPF checks the envelope sender (the MAIL FROM address used in the SMTP transaction), not the From header visible to users. This distinction matters for DMARC alignment.
How DKIM Works
DomainKeys Identified Mail (DKIM) works at the message level. Your mail server signs outgoing emails with a private cryptographic key. The corresponding public key is published in your DNS. Receiving servers retrieve your public key and use it to verify the signature in the email header. If the signature is valid, the message hasn't been altered since it left your server.
DKIM signs specific headers and the message body. Any modification to those signed parts — including headers like Subject or From — will invalidate the signature.
Side-by-Side Comparison
| Feature | SPF | DKIM |
|---|---|---|
| What it validates | Sending server IP address | Message integrity and signing domain |
| DNS record type | TXT record on sending domain | TXT record at selector._domainkey subdomain |
| Survives email forwarding | No — forwarding changes the sending IP | Yes — signature travels with the message |
| Detects message tampering | No | Yes |
| Lookup limit | Max 10 DNS lookups per evaluation | No lookup limit |
| Setup complexity | Low — add IPs/includes to DNS | Medium — requires key generation and mail server config |
| DMARC alignment uses | Envelope From vs Header From | d= tag in signature vs Header From |
Key Differences
The most important practical difference is forwarding behavior. When an email is forwarded, the intermediate server changes the sending IP. This breaks SPF because the new IP isn't in the original sender's SPF record. DKIM, however, is unaffected by forwarding — the cryptographic signature remains intact as long as the message body and signed headers aren't modified.
SPF also has a hard limit of 10 DNS lookups during evaluation. If your SPF record includes many third-party services (each adding their own includes), you can exceed this limit and cause SPF to fail with a permerror. DKIM has no equivalent restriction.
Why You Need Both for DMARC
DMARC requires that at least one of SPF or DKIM passes and is aligned with the From header domain. Because SPF breaks on forwarded email, relying on SPF alone means forwarded legitimate emails may fail DMARC. DKIM provides the reliability that covers these forwarding scenarios.
Conversely, DKIM alone doesn't prevent an unauthorized server from sending email — it only proves the message wasn't tampered with. SPF provides the server authorization layer. Together, they cover all the angles DMARC needs to make an enforcement decision.
Recommendation
Implement both SPF and DKIM on every domain you use to send email. Configure SPF to authorize all your sending services, and enable DKIM signing on your mail server and any third-party email platforms (marketing tools, CRMs, ticketing systems). This gives DMARC two independent authentication signals to work with, maximizing deliverability and protection.
Frequently Asked Questions
Can I use DMARC with only SPF or only DKIM?
Technically yes — DMARC only requires one to pass and align. But relying on SPF alone leaves you exposed to forwarding failures. Relying on DKIM alone means SPF alignment won't contribute to DMARC passes. Best practice is to have both configured and aligned.
Does DKIM prevent email spoofing?
DKIM prevents message tampering and proves which domain signed the message, but it doesn't directly prevent spoofing of the From header. That's what DMARC does — it requires the DKIM signing domain to align with the visible From domain, closing the spoofing gap.
What happens when SPF exceeds 10 DNS lookups?
The receiving server returns a permerrorresult, which causes SPF to fail permanently for that check. This can cause DMARC failures if DKIM also isn't configured. Audit your SPF record regularly and use SPF flattening tools to stay within the lookup limit.