Will new RFCs replace SPF or DKIM?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If you've just finished setting up SPF and DKIM and you're wondering whether they'll be obsolete in a year, relax. They won't be.

SPF and DKIM are baked so deeply into how email works that replacing them would require every mail server, every inbox provider, and every ESP on the planet to coordinate a migration at the same time. That's not how the internet moves. It moves in layers.

What actually happens when a protocol has gaps is that the ecosystem builds on top of it, not around it. SPF has a well-known problem with email forwarding. When a message gets forwarded, the originating IP no longer matches the SPF record, and the check fails. Did that kill SPF? No. It drove the creation of ARC (Authenticated Received Chain), which adds a layer to preserve the original authentication results through forwarding chains. SPF stayed. A new tool filled the gap.

DKIM is in an even stronger position. It signs the message content itself, so the signature travels with the email regardless of routing. That's genuinely hard to improve on without reinventing email signing from scratch.

BIMI is a good example of how new standards tend to work. It doesn't replace DMARC. It builds on top of it. You need a valid DMARC policy before BIMI will even show your brand logo. New layers extend the foundation rather than tear it up.

The honest answer is that future RFCs are far more likely to address newer challenges (AI-assisted filtering, decentralized identity, cross-border regulation) than to revisit whether SPF and DKIM still work. They do. The email standards community knows better than to fix what isn't broken.

So keep investing in your authentication setup. It's not going anywhere. If you want to make sure yours is solid today, our free SPF checker and DKIM lookup take about 30 seconds each.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Ask about the future of email authentication

I keep hearing about new email standards and RFCs. Is SPF or DKIM going to be replaced soon? Should I be worried about investing time in authentication that might become obsolete?

Edit the yellow boxes, then send to the AI of your choice.