How do SPF, DKIM, and DMARC email authentication standards work?

Summary

SPF, DKIM, and DMARC are email authentication methods essential for preventing email spoofing and phishing, enhancing deliverability, and building trust. SPF identifies authorized sending sources by verifying IP addresses against domain records. DKIM uses a digital signature to ensure message integrity, which the receiving server validates against the domain's public key. DMARC leverages SPF and DKIM, allowing domain owners to set policies for how receiving servers should handle emails that fail authentication, with options to reject, quarantine, or monitor. DMARC also provides reporting to track authentication results. Resources like Word to the Wise and Global Cyber Alliance offer guidance. While these standards bolster security, Microsoft Exchange may require additional configuration for full DMARC enforcement.

Key findings

  • SPF Functionality: SPF verifies sending IP addresses against authorized domain records to prevent spoofing.
  • DKIM Functionality: DKIM ensures message integrity through digital signatures validated by receiving servers.
  • DMARC Functionality: DMARC builds on SPF and DKIM, setting policies for handling authentication failures and providing reports.
  • Comprehensive Security: Implementing SPF, DKIM, and DMARC provides a strong defense against email fraud.
  • Improved Deliverability: Proper email authentication enhances deliverability and sender reputation.

Key considerations

  • Implementation Complexity: Setting up SPF, DKIM, and DMARC involves technical configuration in DNS and email systems.
  • Microsoft Exceptions: Microsoft Exchange may need custom rules to fully enforce DMARC policies.
  • DMARC Reporting: DMARC reporting is valuable for monitoring and refining authentication setups.
  • External Resources: Resources like Word to the Wise and DMARC Bootcamp can aid in understanding and implementing these standards.

What email marketers say
11Marketer opinions

SPF, DKIM, and DMARC are email authentication methods designed to prevent spoofing and phishing. SPF verifies authorized sending sources for a domain, DKIM validates the integrity of the email content using a digital signature, and DMARC builds upon these by allowing domain owners to set policies for how receiving servers should handle emails that fail authentication. DMARC also provides reporting mechanisms. Implementing all three provides a strong defense against email fraud and enhances deliverability. Some mail services, like Microsoft Exchange, may require additional configuration to fully enforce DMARC policies.

Key opinions

  • SPF Function: SPF specifies authorized mail servers for a domain, preventing unauthorized use.
  • DKIM Function: DKIM uses a digital signature to ensure email integrity and verify the sender.
  • DMARC Function: DMARC builds on SPF/DKIM by setting policies for handling authentication failures and providing reports.
  • Combined Protection: Implementing SPF, DKIM, and DMARC together provides robust defense against spoofing and phishing.
  • Deliverability Impact: Proper email authentication improves deliverability and sender reputation.

Key considerations

  • Microsoft Exceptions: Microsoft Exchange might require custom inbound rules to enforce DMARC reject policies.
  • Complexity: Implementing these standards involves technical configuration in DNS and email systems.
  • Reporting: DMARC reporting helps monitor and improve email authentication setup.
  • Ongoing Maintenance: Regularly review and update SPF, DKIM, and DMARC configurations to adapt to changing email infrastructure.
Marketer view

Email marketer from Mailjet explains that DKIM uses a digital signature, which is added to the email header. This signature is validated by the recipient's email server using a public key located in your domain's DNS records. If the signature matches, the email is authenticated, proving it hasn't been tampered with.

May 2023 - Mailjet
Marketer view

Email marketer from EasyDMARC explains that implementing SPF, DKIM, and DMARC together provides a strong defense against email spoofing and phishing attacks. SPF verifies sending sources, DKIM validates message integrity, and DMARC sets the policy and reporting to enforce authentication.

November 2021 - EasyDMARC
Marketer view

Marketer from Email Geeks recommends Global Cyber Alliance's DMARC Bootcamp for courses on Email Authentication protocols and offers to answer specific questions about DMARC reports via DM.

May 2023 - Email Geeks
Marketer view

Marketer from Email Geeks explains that Microsoft often disregards DMARC policies and suggests using the Exchange Admin portal to create inbound rules to enforce DMARC reject policies.

March 2025 - Email Geeks
Marketer view

Marketer from Email Geeks shares that Word to the Wise breaks down complicated email concepts in an easy to understand way, providing links to DKIM and SPF articles on the website.

July 2021 - Email Geeks
Marketer view

Email marketer from Proofpoint shares that DMARC builds on SPF and DKIM by enabling domain owners to define a policy for how receiving mail servers should handle emails that fail authentication checks. You can choose to have these emails rejected, quarantined, or simply monitored through reports.

April 2024 - Proofpoint
Marketer view

Email marketer from URIports explains that DMARC is a tool that allows domain owners to protect their brand from email spoofing. By using DMARC you can gain insight into who is sending emails on your behalf and prevent malicious actors from using your domain to send fraudulent emails.

May 2023 - URIports
Marketer view

Marketer from Email Geeks provides a simplified explanation of SPF as a list of approved postmen, DKIM as a digital signature for verifying email integrity, and DMARC as a way to instruct receiving mail servers on how to handle emails that fail authentication, noting Microsoft Exchange's exception to DMARC reject policies.

June 2023 - Email Geeks
Marketer view

Email marketer from SparkPost explains that SPF allows you to specify which mail servers are authorized to send email on behalf of your domain. This helps prevent spammers from using your domain to send unauthorized emails. The SPF record is a TXT record in your DNS settings.

October 2023 - SparkPost
Marketer view

Email marketer from TitanHQ explains that understanding email authentication is key to preventing phishing and spoofing attacks. Setting up SPF, DKIM and DMARC correctly prevents impersonation and builds trust with email recipients, improving deliverability.

August 2024 - TitanHQ
Marketer view

Email marketer from Postmark shares that proper implementation of email authentication (SPF, DKIM, and DMARC) helps improve email deliverability by ensuring that legitimate emails reach the intended recipients' inboxes. This can increase brand reputation and reduce the risk of email ending up in spam folders.

February 2022 - Postmark

What the experts say
4Expert opinions

SPF, DKIM, and DMARC are email authentication methods used to verify email senders and protect domains from spoofing. SPF declares authorized sending IP addresses, DKIM provides a cryptographic signature to ensure email integrity, and DMARC instructs mailbox providers on how to handle emails failing SPF or DKIM checks while also requesting reports. DMARC allows senders to specify actions such as rejecting or quarantining unauthenticated mail.

Key opinions

  • Email Authentication: SPF, DKIM, and DMARC are tools for verifying email senders.
  • SPF Function: SPF declares authorized IP addresses for a domain.
  • DKIM Function: DKIM adds a digital signature to ensure email integrity.
  • DMARC Function: DMARC sets policies for handling failed authentication and requests reports.
  • Policy Control: DMARC allows senders to specify actions (reject, quarantine, none) for unauthenticated emails.

Key considerations

  • Implementation: Proper implementation requires configuring DNS records and email systems.
  • Combined Use: SPF and DKIM should be used together, with DMARC for policy enforcement.
  • Monitoring: DMARC reports provide valuable insights into email authentication results.
  • Expert Assistance: Email authentication can be complex, and expert assistance is available.
Expert view

Expert from Word to the Wise responds stating that DKIM is a system to verify who sent an email. It is the electronic equivalent of a signature. DKIM adds a digital signature to every email that is sent from your system.

July 2022 - Word to the Wise
Expert view

Expert from Email Geeks offers to answer questions about email authentication.

July 2024 - Email Geeks
Expert view

Expert from Word to the Wise explains that DMARC lets the sender tell the receiver what to do with mail that fails authentication (SPF/DKIM). The sender can ask the receiver to reject the email, quarantine it, or do nothing, while also requesting reports about authentication results.

January 2025 - Word to the Wise
Expert view

Expert from Word to the Wise explains that SPF, DKIM, and DMARC are mechanisms to vouch for who is sending email using your domain, noting that all three are needed. SPF allows you to declare which IP addresses send mail for your domain. DKIM provides a cryptographic signature. DMARC tells mailbox providers what to do if SPF and DKIM fail and asks for reports about your mail.

December 2023 - Word to the Wise

What the documentation says
4Technical articles

SPF, DKIM, and DMARC are email authentication standards. SPF verifies sending IP addresses against a domain's authorized list to prevent forged sender addresses. DKIM adds a digital signature to outgoing messages, validated against a public key in DNS, confirming message integrity. DMARC builds on SPF and DKIM, adding a reporting function to improve and monitor domain protection from fraudulent email, helping identify legitimate senders and block malicious actors.

Key findings

  • SPF Function: SPF authenticates email by verifying sending IP addresses against authorized lists.
  • DKIM Function: DKIM uses digital signatures to ensure the integrity of email messages.
  • DMARC Function: DMARC builds upon SPF and DKIM by adding reporting and policy enforcement.
  • Fraud Protection: These standards help protect against email spoofing and phishing attacks.

Key considerations

  • DNS Configuration: Proper setup requires configuring DNS records with SPF, DKIM, and DMARC information.
  • Interoperability: DMARC relies on SPF and DKIM for its functionality.
  • Monitoring: DMARC reporting helps track and improve email authentication effectiveness.
Technical article

Documentation from Google explains that SPF (Sender Policy Framework) is an email authentication method designed to detect forging sender addresses during the delivery of the email. SPF allows receiving mail servers to verify that mail appearing to come from a specific domain is sent from an IP address authorized by that domain's administrators.

December 2021 - Google
Technical article

Documentation from Microsoft explains that DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing email messages. Receiving mail servers verify this signature against a public key published in the DNS records. This process confirms that the message wasn't altered during transit and is genuinely from the claimed sender domain.

November 2023 - Microsoft
Technical article

Documentation from AuthSMTP explains that SPF works by creating a list of authorized IP addresses and domain names that are permitted to send email on behalf of your domain. The recipient mail server checks the SPF record to verify that the sending server is authorized.

December 2022 - AuthSMTP
Technical article

Documentation from DMARC.org explains that DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol. It builds upon SPF and DKIM to add a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email. DMARC helps email providers identify legitimate senders and block malicious actors.

September 2023 - DMARC.org