schedule 4-min read

How SPF, DKIM, and DMARC Work Together

SPF lists allowed IPs, DKIM signs messages, DMARC publishes the policy. Here’s exactly how the three interlock to produce real email authentication.

01

Introduction

SPF, DKIM, and DMARC are often discussed individually, but it's the way they interact that produces actual protection. This article walks through the integration: what each does, how DMARC consumes the others, and what the receiver actually checks for an incoming message.

02

Why this topic matters

A mental model of the three working together is what makes operational decisions intuitive. Why does DKIM matter more for forwarded mail? Why does SPF break at the 10-lookup limit? Why does a DMARC p=reject still let some attackers through? Each question has a clean answer once you see the stack as a single system.

03

What each layer does, in one line

  • SPF declares which IPs may send mail for your domain.
  • DKIM cryptographically signs each message, binding it to your domain.
  • DMARC publishes the policy: receivers should treat mail failing both as suspicious, and here's what to do about it.
04

The receiver's check sequence

When a receiver gets a message claiming to be from [email protected]:

  1. SPF lookup. Does the connecting IP match your domain's SPF record? Result: pass, fail, neutral, none, error.
  2. DKIM verification. Does the message have a valid DKIM signature? If so, does it verify? Result: pass, fail, none.
  3. Alignment check (the DMARC layer). Does the SPF pass align with the From header? Does the DKIM signing domain align with the From header? Either qualifies as DMARC-aligned.
  4. DMARC policy lookup. Look up _dmarc.yourdomain.com. Get the policy (p=none, quarantine, or reject).
  5. Action. If DMARC-aligned (either SPF or DKIM aligned + pass): deliver. If not: apply the policy.
05

What each layer covers that the others don't

  • SPF without DKIM: breaks on forwarding. Mail forwarded to another address loses SPF pass.
  • DKIM without SPF: vulnerable to unsigned spoofing; receivers have no fallback when DKIM signature is absent.
  • SPF + DKIM without DMARC: receivers see authentication results but have no policy to enforce. Failures get inconsistent treatment.
  • DMARC without SPF or DKIM: policy with nothing to enforce against. Always fails.

The three together cover the cases each individually misses.

06

A worked example

A message from [email protected] arrives at gmail.com:

  • Connecting IP: 198.51.100.42 (your transactional ESP).
  • DKIM signature present, d=yourdomain.com, s=transactional, signature verifies.
  • Visible From: [email protected].
  • SPF lookup for envelope-from [email protected]: 198.51.100.42 is in your SPF. Pass.
  • DKIM verification: pass.
  • DMARC lookup: p=reject; sp=reject; rua=mailto:[email protected].
  • Alignment check: SPF pass on yourdomain.com aligned with From yourdomain.com. ✓.
  • Action: deliver.

Now imagine an attacker spoofing:

  • Connecting IP: 203.0.113.1 (attacker's server).
  • DKIM signature: none.
  • Visible From: [email protected].
  • SPF lookup: 203.0.113.1 not in your SPF. Fail.
  • DMARC policy: p=reject. No alignment possible.
  • Action: reject at SMTP.

That's the protection in action.

07

Step-by-step approach to a working stack

  1. Publish SPF for every legitimate sending IP.
  2. Enable DKIM with custom signing at every platform.
  3. Publish DMARC at p=none initially.
  4. Monitor reports until ≥99% pass per sender.
  5. Tighten to p=quarantine, then p=reject.

How to move from monitoring to enforcement safely details the rollout.

08

Best practices

  • Build all three together. Don't deploy in isolation; each depends on the others.
  • Watch alignment, not just raw pass. Aggregate reports surface alignment-aware results.
  • Prefer DKIM for SaaS senders. Survives forwarding.
  • Use SPF for direct senders. Backstops DKIM for unsigned mail.
  • Set DMARC policy deliberately. Choosing the right policy.
09

If you have SPF and DKIM but no DMARC, publish DMARC at p=none with reporting today. The monitoring data shows you the rest.

10

FAQ

Do I need all three?

For full DMARC protection, yes. SPF and DKIM are the underlying mechanisms; DMARC is the policy. Skip any and the stack is incomplete.

Which is most important?

DMARC produces the policy outcome; DKIM is the more durable underlying mechanism; SPF is the IP backstop. All three contribute.

Can DMARC work with only DKIM?

Yes — DMARC requires either SPF or DKIM to pass with alignment. DKIM-only is workable but you lose redundancy.

What about BIMI?

BIMI requires DMARC at quarantine or reject — it sits on top of the stack, not within it.

Do receivers always honour my DMARC policy?

Major providers (Google, Microsoft, Yahoo) do reliably. Some smaller receivers don't. The policy expresses intent; major receivers carry it out.

11

Final thoughts

The three-layer stack is the model that produces real authentication. SPF answers "is this IP allowed," DKIM answers "is this message provably from us," DMARC answers "what should you do when those checks fail."

Each is a partial answer. Together they're a complete one.

Ready to Implement?

Get authenticated mail moving in minutes — start free, book a guided demo, or talk to the team about your stack.

Start free arrow_forward event Book demo mail Contact us