SPF vs DMARC vs DKIM — Email Authentication Explained

Three protocols, one goal: stop email forgery

The Three-Layer Defense

SPF, DMARC, and DKIM are the three pillars of email authentication. SPF says who can send. DKIM proves the message wasn't tampered with. DMARC sets the policy for what to do when checks fail. All three together = near-zero spoof risk. Missing any one = an attacker only needs to break one lock.

Configuration Rates (159 Domains)
29.6%
SPF Configured
17.6%
DMARC Configured
9.4%
DKIM Configured
SPF — Sender Policy Framework

SPF is a DNS TXT record listing authorized sending servers. If a server not in the list tries to send, SPF fails. But here's the catch: SPF has a 10-DNS-lookup limit. Many large domains hit this limit and fail silently. That's why SPF alone isn't enough. Only 29.6% of domains we checked even have SPF — the majority have zero sender verification.

DMARC — Domain-based Message Authentication

DMARC builds on SPF and DKIM by adding a policy: tell the receiver to reject or quarantine fakes. This is the one that actually stops spoofing. Without DMARC, a forged email that passes either SPF or DKIM (or both) gets delivered. Only 17.6% of domains have it. If you configure one thing, make it DMARC — even without SPF, DMARC=policy tells receivers your stance.

DKIM — DomainKeys Identified Mail

DKIM signs outbound messages with a private key. The receiver verifies the signature with the public key in DNS. It proves the message content wasn't changed in transit. It's the hardest to set up (requires key management) and the least common — only 9.4% of domains we checked have it.

SPF vs DMARC vs DKIM: Which One Matters Most?
Protocol Purpose Our Data Recommendation
SPF SPF Sender verification 29.6% configured Required but not enough
DMARC DMARC Policy enforcement 17.6% configured Most important — pick one, pick this
DKIM DKIM Message integrity 9.4% configured Nice to have
Real DMARC Record Example (gmail.com) 
v=DMARC1; p=reject; pct=100; rua=mailto:mailauth-reports@google.com
The Verdict

If you can only pick one protocol, pick DMARC. It's the only one that tells receivers what to do with fakes. SPF without DMARC is just a suggestion. DKIM without DMARC proves integrity but not intent. All three together is ideal — but DMARC alone is better than SPF+DKIM without policy.

Try It Yourself

Use our free tool to verify any email address in real-time

Verify an Email Now