Last updated: July 2026

In short: SPF, DKIM and DMARC are not three options to pick between — they’re one system. SPF and DKIM are two independent checks a receiver runs; DMARC is the policy that decides what happens when both fail. You need all three, and you roll DMARC out gradually.

People often ask “SPF or DKIM?” as if choosing one. That’s the wrong frame. Each answers a different question, and DMARC only works once both are in place. Here’s the division of labour.

What each one actually checks

StandardQuestion it answersWhere it livesSurvives forwarding?
SPFIs the sending server allowed to send for this domain?TXT record (v=spf1 …)No
DKIMWas the message signed by the domain, and unaltered?Public key in DNS + signature in headersYes
DMARCWhat do I do if both checks fail — and do the domains align?TXT record (v=DMARC1 …)n/a — it’s the policy

SPF checks the path

SPF looks at the server that delivered the message and asks whether it appears in the domain’s published list. It’s tied to the connection, so it breaks the moment a message is forwarded — the forwarding server isn’t in your record. That’s not a bug you can fix; it’s inherent to how SPF works, and it’s a big reason DKIM exists.

DKIM checks the message

DKIM ignores the path entirely. The message carries a cryptographic signature; the receiver fetches your public key from DNS and verifies it. If it checks out, the message genuinely passed through your infrastructure and wasn’t tampered with. Because the signature rides along with the message, DKIM keeps passing even after a forward.

DMARC checks alignment and decides

Here’s the subtle part. SPF and DKIM each validate a domain — but not necessarily the domain a human sees in the “From” field. DMARC adds alignment: it requires that the domain SPF or DKIM validated matches the visible From domain. A message passes DMARC if at least one of SPF or DKIM passes and aligns. Then your DMARC policy — p=none, p=quarantine, or p=reject — decides the fate of everything that fails.

This is why DMARC without SPF and DKIM is meaningless: there’s nothing for it to evaluate.

Why you need both SPF and DKIM, not one

Because they fail in different situations, they cover for each other:

  • A message you send directly to a recipient: SPF and DKIM both pass.
  • A message that gets forwarded: SPF breaks, but DKIM survives — DMARC still passes on the DKIM leg.
  • A mailing list that rewrites the message: DKIM may break, but if it rewrites the envelope sender, SPF can carry the pass.

Running only one leaves DMARC failing legitimate mail in exactly these edge cases. Two independent checks mean one can fail without costing you delivery.

The ramp to enforcement

The single biggest mistake is jumping straight to p=reject. Do that blind and you’ll bounce legitimate mail from a newsletter tool or CRM you forgot about. The safe path has three stages:

  1. p=none — observe. Publish DMARC in monitoring mode. You block nothing, but receivers start sending you aggregate reports. Read them for a few weeks and build a full list of everything that legitimately sends in your name.
  2. p=quarantine — soft enforcement. Failing mail goes to spam instead of the inbox. Keep watching reports. Fix any legitimate source that’s still failing — usually a missing SPF include or DKIM signing that was never turned on.
  3. p=reject — full enforcement. Failing mail is rejected outright. This is the goal: nobody can spoof your domain into an inbox. Only get here once the reports are clean.

You can also start quarantine and reject with a percentage tag to roll out gradually. The principle is the same: let the reports tell you when it’s safe to tighten.

Where to set it up

The three records live in your DNS, so the exact steps depend on where your DNS and mailboxes are. Pick your host in the setup guides by provider — each one walks through SPF, DKIM and DMARC for that specific control panel. Or start from the full stack overview if you also want the transport layer (TLS, MTA-STS, DANE).

Verify the result

The free MXAudit scanner checks all three at once: whether your SPF record is syntactically valid and within the 10-lookup limit, whether your DKIM keys resolve, and what your DMARC policy is set to. It’s the quickest way to confirm the three are actually working together — not just present.

Further reading