How do SPF, DKIM, and DMARC work together?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Think of email authentication as a three-layer check. SPF proves the server sending the mail is authorized (is it on the approved list). DKIM cryptographically signs the message content (has anyone tampered with it). DMARC ties both checks back to your From header and tells mailbox providers what to do if they fail.

Here's how they flow together: A mailbox provider receives your message and first checks SPF. It verifies that the Return-Path domain is authorized to send mail. Then it checks DKIM. It verifies the signature hasn't been altered since it was signed. But here's where it gets interesting: SPF and DKIM might both pass, yet the message could still be suspicious. That's because neither one confirms that the sender is actually you. So DMARC steps in and checks alignment: does the Return-Path domain (SPF) or the DKIM signing domain match your From header. If at least one aligns and passes, the message is authenticated. If both fail or neither aligns, DMARC applies your policy (quarantine, reject, or none).

The workflow matters too. SPF checks the Return-Path domain, while DKIM checks the d= tag domain. DMARC requires at least one of them to match your From header. That's why fixing alignment usually starts with DKIM: it's more resilient and survives forwarding better than SPF.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Explain SPF, DKIM, DMARC workflow

Explain how SPF, DKIM, and DMARC work together as a workflow. Include what each checks, why alignment matters, why DMARC requires at least one to pass, and why DKIM is more forwarder-friendly.

Edit the yellow boxes, then send to the AI of your choice.