How does DMARC work with SPF and DKIM?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

DMARC is the layer that makes SPF and DKIM actually useful for protecting your visible identity. You can have both SPF and DKIM passing and still have phishers impersonating your brand. DMARC is what closes that gap.

What SPF and DKIM each do on their own

SPF checks whether the sending server is authorized to send on behalf of the Return-Path domain, the behind-the-scenes address your recipients never see. DKIM checks that the message wasn't modified in transit and was signed by a specific domain. Both are checking technical fields, not the visible From address in the inbox.

That's the gap. A phisher can pass SPF on their own domain and pass DKIM with their own key, while showing your brand name in the From field. Recipients see your brand. Authentication passes for someone else entirely.

What DMARC adds: alignment

DMARC requires that at least one authentication method also aligns with the visible From domain. "Alignment" means the domain that passed SPF or DKIM matches the From domain your recipients see. Phishers can't pass that check without controlling your actual domain.

How the check runs, in order

  1. SPF is evaluated: does the sending server match the Return-Path domain's SPF record?
  2. DKIM is evaluated: is the signature valid, and what domain signed it?
  3. DMARC checks alignment: does the From domain match the domain that passed SPF, or the domain in the DKIM signature?
  4. If at least one method passes and aligns, DMARC passes. If neither aligns, DMARC applies your policy: p=none (monitor only), p=quarantine (spam folder), or p=reject (drop the message).

You need all three working together for real protection. SPF and DKIM without DMARC are authentication with no enforcement. DMARC without SPF or DKIM has nothing to align against.

You can check your current DMARC record and whether it's passing with our DMARC parser. If you're trying to figure out which piece of the stack is failing, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Audit My SPF, DKIM, and DMARC Stack

I just read the Email Almanac entry on how DMARC works with SPF and DKIM. Help me understand my current setup and figure out whether all three are working together correctly. Walk me through: 1. Whether my SPF, DKIM, and DMARC records are all configured 2. Whether SPF and DKIM are aligned with my visible From domain 3. What my current DMARC policy is set to and whether it's appropriate 4. Which piece of the stack is failing if DMARC isn't passing --- My details (fill in what applies): - Sending domain: your domain - SPF status: passing / failing / unsure - DKIM status: passing / failing / unsure - DMARC policy: p=none / p=quarantine / p=reject / not set up / unsure - ESP or sending platform: name - Where mail is landing: inbox / spam / rejected / mixed

Edit the yellow boxes, then send to the AI of your choice.