What is the difference between SPF and DKIM results in headers?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've opened the Authentication-Results header and you see both an SPF result and a DKIM result. They both say "pass." Good. But what were they each actually checking? They're not redundant, they're measuring different things.
SPF checks the sending infrastructure. Specifically, it asks: "Is the IP address that sent this message authorized to send on behalf of the envelope domain (Return-Path)?" That's a server-level check. It has nothing to do with the message content itself. The domain being checked is in the Return-Path header, which is often a subdomain like bounce.yourdomain.com rather than your visible From address.
DKIM checks the message content. It verifies a cryptographic signature that was added when the message was sent. If the message body or key headers were altered in transit, the DKIM signature breaks. A DKIM pass means the message arrived intact from the claimed signing domain. The result line shows you which domain signed it (header.i=@domain.com) and which selector was used (header.s=selector1).
Both can fail independently. An SPF failure doesn't break DKIM. A DKIM failure doesn't break SPF. But DMARC needs at least one of them to pass and be aligned with the visible From domain to count as a pass. That's the key relationship to understand when you're diagnosing an authentication problem.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.