Should DMARC checks focus on SPF HELO or Return-Path and should you focus on DKIM or SPF?
Summary
What email marketers say8Marketer opinions
Email marketer from Postmark explains the key differences between SPF, DKIM and DMARC - it highlights how SPF can break when a message is forwarded as the return path changes. DKIM remains valid due to it's signature.
Email marketer from Proofpoint responds that while both SPF and DKIM are important, DKIM offers stronger authentication due to its cryptographic signing, which survives forwarding. SPF is still useful but is more fragile.
Email marketer from EasyDMARC suggests prioritizing DKIM over SPF. DKIM signatures are associated with the message content and are more reliable for maintaining authentication across forwarding and mailing lists.
Email marketer from Mailjet responds that DKIM is better for long term email deliverability. The message content is digitally signed so the message can be tracked back to the sender by mailbox providers.
Email marketer from GlockApps responds that in modern email authentication, DKIM is more important than SPF.
Email marketer from Reddit explains that DKIM is more important to get right, as messages can be forwarded and still pass DKIM checks where they may fail SPF.
Email marketer from StackExchange suggests that if you have a dedicated sending IP, focusing on SPF is important. However if you send via other servers, DKIM is best.
Email marketer from Mailhardener shares that DMARC uses the MAIL FROM domain for SPF checks, and it’s crucial to ensure that this domain aligns with the From: header. While HELO can be used for SPF, it's not the primary focus for DMARC.
What the experts say4Expert opinions
Expert from Spam Resource responds that DKIM is essential when messages are forwarded, as this often breaks SPF. Senders should focus on DKIM if they want to ensure their messages are authenticated across the board.
Expert from Email Geeks explains that the SPF RFC says to use HELO and return-path, but the DMARC RFC states that the HELO SPF identity is "not typically used in the context of DMARC". Therefore, alignment with and SPF pass of the return-path is what's important in DMARC.
Expert from Word to the Wise explains DMARC leverages SPF by checking the MAIL FROM domain (Return-Path), not the HELO domain. DMARC also strongly relies on DKIM, which is considered more robust because it uses cryptographic signatures.
Expert from Email Geeks shares to rely mostly on DKIM in 2024, and not rely on SPF and to chase them up on the DKIM stuff.
What the documentation says5Technical articles
Documentation from dmarc.org explains that DMARC uses the domain in the RFC5322.MailFrom header field (also known as the envelope sender or Return-Path) for SPF authentication, not the HELO identity. This is because the RFC5322.MailFrom domain is considered more reliable for identifying the actual sender.
Documentation from Microsoft shares that using DKIM is one of the best ways to ensure emails are not marked as spam. DKIM passes even when a message is forwarded. SPF is recommended but by itself is not sufficient.
Documentation from AuthSMTP shares that DKIM is considered more robust than SPF because it uses cryptographic signatures that are tied to the message content, making it less susceptible to forwarding issues that can break SPF. Focus on implementing DKIM for better deliverability.
Documentation from RFC 7489 explains that while SPF can authenticate both the HELO identity and the MAIL FROM, DMARC primarily relies on the MAIL FROM domain for SPF checks due to its association with the message's actual sender.
Documentation from Cloudflare shares that the MAIL FROM domain is what is important for SPF.