What is the priority between SPF and DKIM in DMARC alignment?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've heard both matter. You've heard one's better. So which one does DMARC actually prefer?

Here's the truth: neither has priority. DMARC runs both checks in parallel, and if either one passes and aligns with your From domain, you pass DMARC. It's OR logic, not a pecking order. You don't need both. You just need one to work.

But that's where real life gets interesting. SPF lives in your DNS as a text record. It works great until someone forwards your email. When a mail server forwards your message, it re-sends it from their address, not yours. That's called an SPF-breaking forward. Now your SPF check fails on the second hop.

DKIM attaches a cryptographic signature to your email body. It doesn't care who's relaying it. Forwards don't touch that signature. So DKIM survives forwarding every time.

In practice, set up both. If your SPF breaks on a forward (which it will, with Gmail or Yahoo or any large receiver), your DKIM's still there to pass DMARC and keep you in the inbox. It's called alignment redundancy, and it's your best insurance.

Not sure which one you're missing? Use our free DMARC parser to see where your authentication breaks, and when.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my SPF and DKIM alignment status

My DMARC record says SPF and DKIM both check. Does one take priority over the other? Which one matters most? Do I need both to pass DMARC?

Edit the yellow boxes, then send to the AI of your choice.