Can SPF or DKIM alone stop spoofing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've set up SPF. You've set up DKIM. Your domain feels locked down. But here's the thing: an attacker can still send an email that looks like it came from you, and both of those checks can pass just fine. So what's actually going on?

SPF checks the envelope sender, not the From address your recipient sees. When an email arrives, there are two different "from" fields in play. The envelope sender (sometimes called the Return-Path) is used during the server handshake. The header From is what shows up in your inbox as the sender's name and address. SPF only validates the envelope sender. An attacker can point their own domain's SPF at their own servers, send an email with their domain in the envelope, and still put your address in the visible From field. SPF passes. The recipient sees your brand. That's spoofing, and SPF didn't stop it.

DKIM has a different gap. It does sign the header From domain with a cryptographic signature, which is a step closer to what you actually need. But DKIM alone doesn't tell the receiving mail server what to do if the signature is missing or fails. Without a policy, a spoofed email with no DKIM signature at all can still be delivered. The absence of a valid signature isn't treated as a block signal. It's just... ignored.

Think of it this way. SPF is a check on the delivery driver, not the return address on the package. DKIM is a tamper-evident seal, but one that nobody's required to act on if it's missing. Neither one, by itself, tells the mailbox provider to reject mail that fails the check on your visible domain.

That's what DMARC adds. DMARC requires that either SPF or DKIM aligns with the header From domain (the address your recipient actually sees), and it gives receivers a policy to follow when alignment fails. Set DMARC to p=reject and misaligned messages don't make it to the inbox. That's how DMARC stops domain spoofing where SPF and DKIM alone can't.

So, SPF and DKIM are both necessary, but neither is sufficient on its own. DMARC is what closes the loop.

You can check your current DMARC setup with our free DMARC Generator or use the DMARC Parser to read your existing record. If you're not sure where to start, ask us directly and we'll take a look.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my spoofing protection gaps

Based on what I know about my email setup, tell me where my spoofing protection might have gaps. I'll share my domain and current authentication records. Please check whether SPF, DKIM, and DMARC are all in place, whether DMARC alignment is configured correctly, and flag any specific weaknesses an attacker could exploit right now. Give me a ranked list of the most urgent things to fix.

Edit the yellow boxes, then send to the AI of your choice.