What is the priority between SPF and DKIM in DMARC alignment?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've heard both matter. You've heard one's better. So which one does DMARC actually prefer?
Here's the truth: neither has priority. DMARC runs both checks in parallel, and if either one passes and aligns with your From domain, you pass DMARC. It's OR logic, not a pecking order. You don't need both. You just need one to work.
But that's where real life gets interesting. SPF lives in your DNS as a text record. It works great until someone forwards your email. When a mail server forwards your message, it re-sends it from their address, not yours. That's called an SPF-breaking forward. Now your SPF check fails on the second hop.
DKIM attaches a cryptographic signature to your email body. It doesn't care who's relaying it. Forwards don't touch that signature. So DKIM survives forwarding every time.
In practice, set up both. If your SPF breaks on a forward (which it will, with Gmail or Yahoo or any large receiver), your DKIM's still there to pass DMARC and keep you in the inbox. It's called alignment redundancy, and it's your best insurance.
Not sure which one you're missing? Use our free DMARC parser to see where your authentication breaks, and when.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.