Will DMARC replace SPF and DKIM?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If you've been told to set up DMARC and then wondered whether you still need SPF and DKIM too, you're not alone. It's a fair question. DMARC sounds like the powerful one, so why not just use that?

The honest answer is that DMARC can't do anything without SPF and DKIM. It doesn't replace them. It reads their results.

Here's what each one actually does:

  • SPF checks whether the server that sent your email was authorized to send on behalf of your domain. It looks at the sending IP address and compares it against a list you publish in your DNS. Think of it as a guest list at the door.
  • DKIM checks whether the message itself was tampered with in transit. It uses a cryptographic signature attached to the email, which the receiving server verifies against a public key in your DNS. If the content changed after you sent it, the signature breaks.
  • DMARC reads the results of both those checks and then applies your policy. Did SPF pass? Did DKIM pass? Did either of them align with the domain shown in the From address? Based on your DMARC record, the receiving server either delivers the message, quarantines it, or rejects it outright.

The critical part there is alignment. DMARC doesn't just want SPF or DKIM to pass in isolation. It wants the domain that passed to match the domain in your From header, the one your recipients actually see. That's what stops spoofing, where someone sends email that appears to come from your domain but goes through a completely different server.

So what breaks if you only have one or two of the three? A few concrete examples:

  • DMARC only (no SPF or DKIM): DMARC has nothing to evaluate. It won't enforce any policy because there are no checks feeding into it. It's essentially inactive.
  • SPF only: You can authorize sending IPs, but there's no signature protecting message integrity. If your email gets forwarded, SPF often fails because the forwarding server's IP isn't on your list. And without DMARC, there's no policy telling receivers what to do when SPF fails.
  • DKIM only: Message integrity is protected, but there's no IP authorization and no enforcement layer. Spammers can still try to impersonate your domain through servers you haven't authorized.

All three working together is what actually closes the gaps. SPF covers sender authorization. DKIM covers message integrity. DMARC enforces policy and requires alignment. None of them is redundant.

As for the future, ARC (Authenticated Received Chain) extends this system to handle forwarded email more gracefully, but it builds on top of SPF, DKIM, and DMARC rather than replacing any of them. New standards tend to layer on top of what already works.

If you want to check how your authentication is actually set up right now, our free SPF checker and DKIM record lookup take about 30 seconds each. Or if you're mid-setup and something isn't clicking, the SOS hotline is free and we actually pick up.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my authentication gaps

I send email from my domain and I've been told I need SPF, DKIM, and DMARC. Based on my current setup, can you tell me: which of the three I'm missing, what specific risk each gap creates, and what DNS records I need to add or fix first? Please list the answers in order of priority.

Edit the yellow boxes, then send to the AI of your choice.