What problem does DMARC solve that SPF/DKIM don’t?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Here's the gap. SPF verifies whether the sending server is authorized to send for the domain in the envelope. DKIM verifies whether a message was signed by someone controlling the signing domain. Neither of them checks whether those domains match what your recipients see in the "From" header of their email client.

That's the exploit. A spammer can set up a domain they control, configure it with valid SPF and DKIM, and then send emails with your legitimate domain in the visible "From:" header. SPF passes on their domain. DKIM passes on their domain. But your recipients see your brand in the From field.

This attack is called display name spoofing or header from spoofing, and it's the basis for most business email compromise (BEC) attacks and CEO fraud.

DMARC solves this by adding an alignment check: it verifies that either the DKIM signing domain or the SPF-validated domain actually matches the domain in the visible "From" address. If neither matches, DMARC fails, and your DMARC policy tells receiving servers what to do about it.

Without DMARC, SPF and DKIM are useful signals but they don't prevent someone from spoofing your visible "From" address. With DMARC at p=reject, a spoofed "From" that doesn't align with a passing SPF or DKIM result will be rejected outright by supporting providers.

That's the specific gap DMARC closes: the alignment between what the authentication checks validate and what your recipients actually see. It's why the recommended setup is all three: SPF + DKIM + DMARC.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get an assessment of your current authentication gap and how to close it.

I read this on the Email Almanac about what DMARC solves that SPF and DKIM don't. My setup: I have / don't have DMARC configured. My DKIM signing domain is [describe if you know it e.g., same as my From domain / set up through my ESP / not sure]. I want to understand [describe e.g., "whether my current setup closes the spoofing gap" or "how to check if my DKIM d= domain aligns with my From domain" or "what I need to do to reach p=reject"].

Edit the yellow boxes, then send to the AI of your choice.