Beta testing is now live. We are looking for beta testers - use the contact form to sign up.
DMARCHubDMARCHub
DMARC basics

DMARC, DKIM and SPF: how they fit together

Updated 4 June 2026 · 6 min read

SPF, DKIM and DMARC are three separate standards that work as layers. SPF says which servers may send mail for your domain. DKIM cryptographically signs each message. DMARC ties the two together, checks that the authenticated domain matches the address recipients see, and reports what happened. You need all three: each covers a gap the others leave open.

SPF: who is allowed to send

SPF (Sender Policy Framework) is a DNS record listing the servers and services permitted to send mail for your domain. A receiver checks the sending server against that list. Its weaknesses: it authenticates the hidden envelope sender rather than the visible From address, and it breaks when a message is forwarded. On its own, SPF does not stop someone displaying your domain in the From line.

DKIM: proof the message is intact

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each message, using a key published in your DNS. The receiver verifies the signature to confirm the message was not altered and genuinely involved your domain. Unlike SPF, DKIM survives forwarding. But DKIM alone still does not tell a receiver what to do when the signature is missing or invalid.

DMARC: the decision and the reporting

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the layer that makes the other two enforceable. It requires that SPF or DKIM not only passes, but passes for a domain that aligns with the visible From address. It then sets a policy - monitor, quarantine or reject - and sends you reports on every source sending as your domain.

How they combine

A message passes DMARC if either SPF passes with an aligned domain, or DKIM passes with an aligned domain. Because either route is enough, publishing both gives you the best chance of legitimate mail passing while spoofed mail fails. SPF covers your own mail servers cleanly; DKIM covers forwarded mail and third-party senders that sign with your domain.

Common mistakes

The usual traps are: relying on SPF alone and wondering why DMARC still fails; forgetting to align the DKIM signing domain with your From domain; and exceeding the SPF ten-lookup limit by listing too many third-party includes. Reports are how you catch all three, which is why DMARC is as much a monitoring tool as an enforcement one.

Frequently asked questions

Can I use DMARC without SPF or DKIM?

No. DMARC has nothing to evaluate without at least one of them. In practice you publish both SPF and DKIM, then add DMARC to enforce alignment and collect reports.

Is DKIM better than SPF?

They solve different problems. SPF authorises sending servers by IP address; DKIM proves a message was not altered and survives forwarding, which SPF does not. DMARC lets a message pass on either one, so having both gives you the most resilient setup.

Why does mail pass SPF but fail DMARC?

SPF checks the hidden envelope sender, not the visible From address. If those domains differ - common with marketing platforms - SPF can pass while DMARC fails because the domains are not aligned. DKIM signed with your domain usually fixes this.

DMARCHub turns these reports into a clear picture, hosted in the UK.

See how DMARCHub helps