Should DMARC checks focus on SPF HELO or Return-Path and should you focus on DKIM or SPF?

Summary

Experts, marketers, and technical documentation all agree that DMARC leverages SPF by checking the MAIL FROM (Return-Path) domain, not the HELO. While SPF has its place, DKIM is overwhelmingly considered more robust and crucial for email authentication, especially in scenarios involving message forwarding. DKIM's cryptographic signatures ensure authentication integrity, making it a more reliable choice for long-term deliverability and preventing emails from being marked as spam. Senders with dedicated IPs can benefit from focusing on SPF, but DKIM remains paramount for most use cases.

Key findings

  • SPF Domain Focus: DMARC uses the MAIL FROM (Return-Path) domain for SPF authentication.
  • DKIM Superiority: DKIM is considered more robust and reliable than SPF due to its cryptographic signatures and resilience to forwarding.
  • Forwarding Impact: SPF breaks when messages are forwarded, while DKIM remains valid, making it essential for maintaining authentication.
  • Spam Prevention: Implementing DKIM is one of the best ways to prevent emails from being marked as spam.

Key considerations

  • Prioritize DKIM Implementation: Focus on implementing and properly configuring DKIM for optimal email deliverability.
  • MAIL FROM Setup: Ensure accurate setup of SPF records using the MAIL FROM domain.
  • Forwarding Scenarios: Prioritize DKIM if your emails are frequently forwarded or handled by mailing lists.
  • Dedicated IPs: Senders with dedicated IPs may find SPF more beneficial, but DKIM should still be implemented for comprehensive authentication.
  • Continuous Monitoring: Regularly monitor both SPF and DKIM records to ensure ongoing email authentication success.

What email marketers say
8Marketer opinions

The consensus among email marketers is that DMARC checks should focus on the MAIL FROM domain for SPF, not HELO. While SPF is important, DKIM is generally considered more crucial for long-term email deliverability. DKIM's cryptographic signatures provide stronger authentication, especially when messages are forwarded. However, SPF remains relevant, particularly for senders with dedicated IPs.

Key opinions

  • SPF Domain: DMARC relies on the MAIL FROM domain for SPF checks, not the HELO identity.
  • DKIM Priority: DKIM is generally considered more important than SPF due to its resilience to forwarding.
  • DKIM Strength: DKIM provides stronger authentication through cryptographic signatures.
  • SPF Fragility: SPF can break when messages are forwarded, impacting its reliability.

Key considerations

  • Dedicated IP: If using a dedicated sending IP, focusing on SPF is particularly beneficial.
  • Forwarding: For scenarios involving message forwarding, prioritize DKIM for authentication.
  • Alignment: Ensure the MAIL FROM domain aligns with the From: header for optimal DMARC compliance.
  • Long-term Deliverability: Focusing on DKIM improves long-term email deliverability and sender reputation.
Marketer view

Email marketer from Postmark explains the key differences between SPF, DKIM and DMARC - it highlights how SPF can break when a message is forwarded as the return path changes. DKIM remains valid due to it's signature.

August 2023 - Postmark
Marketer view

Email marketer from Proofpoint responds that while both SPF and DKIM are important, DKIM offers stronger authentication due to its cryptographic signing, which survives forwarding. SPF is still useful but is more fragile.

September 2023 - Proofpoint
Marketer view

Email marketer from EasyDMARC suggests prioritizing DKIM over SPF. DKIM signatures are associated with the message content and are more reliable for maintaining authentication across forwarding and mailing lists.

August 2024 - EasyDMARC
Marketer view

Email marketer from Mailjet responds that DKIM is better for long term email deliverability. The message content is digitally signed so the message can be tracked back to the sender by mailbox providers.

December 2023 - Mailjet
Marketer view

Email marketer from GlockApps responds that in modern email authentication, DKIM is more important than SPF.

November 2023 - GlockApps
Marketer view

Email marketer from Reddit explains that DKIM is more important to get right, as messages can be forwarded and still pass DKIM checks where they may fail SPF.

July 2023 - Reddit
Marketer view

Email marketer from StackExchange suggests that if you have a dedicated sending IP, focusing on SPF is important. However if you send via other servers, DKIM is best.

July 2022 - StackExchange
Marketer view

Email marketer from Mailhardener shares that DMARC uses the MAIL FROM domain for SPF checks, and it’s crucial to ensure that this domain aligns with the From: header. While HELO can be used for SPF, it's not the primary focus for DMARC.

June 2022 - Mailhardener

What the experts say
4Expert opinions

Experts agree that DMARC leverages SPF by checking the MAIL FROM (Return-Path) domain, not the HELO. DKIM is considered more essential for authentication, especially with message forwarding, as it remains valid while SPF often breaks. Therefore, senders should prioritize DKIM.

Key opinions

  • SPF & DMARC: DMARC checks SPF using the MAIL FROM (Return-Path) domain.
  • DKIM Importance: DKIM is considered more important than SPF for reliable authentication.
  • Forwarding Impact: SPF breaks when messages are forwarded, making DKIM a better choice for ensuring authentication across the board.
  • DKIM Robustness: DKIM relies on cryptographic signatures, making it more robust than SPF.

Key considerations

  • Prioritize DKIM: Senders should prioritize implementing and maintaining DKIM.
  • MAIL FROM Alignment: Ensure correct setup and alignment of SPF using the MAIL FROM domain.
  • Forwarding Scenarios: Focus on DKIM if your messages are frequently forwarded.
  • SPF Limitations: Recognize the limitations of SPF, especially with forwarding.
Expert view

Expert from Spam Resource responds that DKIM is essential when messages are forwarded, as this often breaks SPF. Senders should focus on DKIM if they want to ensure their messages are authenticated across the board.

June 2023 - Spam Resource
Expert view

Expert from Email Geeks explains that the SPF RFC says to use HELO and return-path, but the DMARC RFC states that the HELO SPF identity is "not typically used in the context of DMARC". Therefore, alignment with and SPF pass of the return-path is what's important in DMARC.

April 2024 - Email Geeks
Expert view

Expert from Word to the Wise explains DMARC leverages SPF by checking the MAIL FROM domain (Return-Path), not the HELO domain. DMARC also strongly relies on DKIM, which is considered more robust because it uses cryptographic signatures.

November 2022 - Word to the Wise
Expert view

Expert from Email Geeks shares to rely mostly on DKIM in 2024, and not rely on SPF and to chase them up on the DKIM stuff.

September 2022 - Email Geeks

What the documentation says
5Technical articles

Technical documentation consistently indicates that DMARC leverages SPF by verifying the MAIL FROM (Return-Path) domain rather than the HELO identity. Furthermore, DKIM is highlighted as a more robust authentication method than SPF due to its use of cryptographic signatures, which are resistant to forwarding-related failures. Consequently, DKIM is deemed crucial for improving email deliverability and preventing messages from being marked as spam.

Key findings

  • SPF Domain: DMARC uses the MAIL FROM (Return-Path) domain for SPF authentication.
  • DKIM Robustness: DKIM is more robust than SPF because its cryptographic signatures withstand forwarding.
  • DKIM Importance: DKIM is essential for preventing emails from being marked as spam.
  • SPF Limitation: SPF is susceptible to forwarding issues that can break authentication.

Key considerations

  • Prioritize DKIM: Focus on implementing and properly configuring DKIM for optimal deliverability.
  • MAIL FROM: Ensure correct setup of SPF records using the MAIL FROM domain.
  • Forwarding Resilience: Rely on DKIM to maintain authentication integrity in scenarios involving email forwarding.
  • Combined Approach: While DKIM is emphasized, SPF should not be entirely neglected; use both for a comprehensive email authentication strategy.
Technical article

Documentation from dmarc.org explains that DMARC uses the domain in the RFC5322.MailFrom header field (also known as the envelope sender or Return-Path) for SPF authentication, not the HELO identity. This is because the RFC5322.MailFrom domain is considered more reliable for identifying the actual sender.

December 2024 - dmarc.org
Technical article

Documentation from Microsoft shares that using DKIM is one of the best ways to ensure emails are not marked as spam. DKIM passes even when a message is forwarded. SPF is recommended but by itself is not sufficient.

September 2024 - Microsoft
Technical article

Documentation from AuthSMTP shares that DKIM is considered more robust than SPF because it uses cryptographic signatures that are tied to the message content, making it less susceptible to forwarding issues that can break SPF. Focus on implementing DKIM for better deliverability.

May 2022 - AuthSMTP
Technical article

Documentation from RFC 7489 explains that while SPF can authenticate both the HELO identity and the MAIL FROM, DMARC primarily relies on the MAIL FROM domain for SPF checks due to its association with the message's actual sender.

June 2024 - RFC Editor
Technical article

Documentation from Cloudflare shares that the MAIL FROM domain is what is important for SPF.

November 2022 - Cloudflare