Why does DKIM not stop spoofing by itself?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine you get an email from captain@deepcurrent.io, but the DKIM signature shows it was signed by d=tidalmail.net. DKIM passes, because tidalmail.net signed it properly. But you're looking at an email that appears to come from deepcurrent.io. The signature is valid, but it's not signing what the recipient thinks it's signing.

That's the fundamental gap. DKIM proves a message was signed by someone who controls the signing domain. It doesn't prove the signing domain matches the "From" address your recipient sees in their email client. Those can be completely different domains.

A spoofing scenario using DKIM might look like this: someone registers spoofed-company.com, sets up DKIM properly on it, and sends emails with From: CEO@realcompany.com in the headers. The DKIM signature is technically valid because the message was signed by spoofed-company.com correctly. But the recipient sees realcompany.com in the From field.

The fix is DMARC. DMARC adds an alignment check: it verifies whether the DKIM signing domain (the d= tag) matches the visible "From" domain. If they don't align, DMARC fails, and your DMARC policy (reject, quarantine, or none) determines what happens to the message.

So DKIM is an essential piece of the authentication stack, but it's not the spoofing protection layer. That's DMARC's job. Without DMARC, DKIM proves that someone signed the message with a valid private key, but not that the signing domain is the one your recipient thinks they're hearing from.

Similarly, SPF validates the envelope from domain, not the visible From. DMARC is the layer that ties both SPF and DKIM to the From header and enforces policy based on whether they align.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get an assessment of your spoofing protection setup.

I read this on the Email Almanac about why DKIM doesn't prevent spoofing by itself. My situation: I have DKIM configured on my domain. I do / don't have DMARC set up. I'm concerned about [describe: someone spoofing my domain / my own legitimate email failing authentication / understanding why DMARC failures are happening]. What I want to understand: [describe e.g., "whether my current setup is vulnerable to spoofing" or "what DMARC policy I should implement to close the gap" or "how to check whether my d= domain is aligned with my From address"].

Edit the yellow boxes, then send to the AI of your choice.