Skip to Content

How SPF, DKIM, and DMARC Actually Work Together (And Why One Alone Is Useless)

14 January 2026 by
Jaspreet Singh

black smartphone near person

How SPF, DKIM, and DMARC Actually Work Together (And Why One Alone Is Useless)

Email security failures rarely start with malware. They start with trust.

If someone can impersonate your domain, attackers do not need to hack anything. They simply send emails pretending to be you.That’s where SPF, DKIM, and DMARC come in.

But what matters most is how these tools work together.

SPF: “Is This Server Allowed to Send Email for This Domain?”

SPF (Sender Policy Framework) answers one simple question:

Is the sending mail server authorized to send email for this domain?

It works by publishing a DNS record that lists approved sending sources. (SPF Records for Approved Senders, n.d.)What SPF does well

  • Blocks unauthorized mail servers
  • Stops basic spoofing attempts

Where SPF fails

  • It breaks on forwarding
  • It doesn’t validate message content
  • It doesn’t tell receivers what to do when SPF fails

SPF is important, but it is not enough on its own.

DKIM: “Was This Message Altered?”

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email. (DomainKeys Identified Mail (DKIM) Signatures, 2011)That signature:

  • Is generated by the sending system
  • Is verified by the receiving system
  • Confirms the message wasn’t modified in transit (Email Authentication: SPF, DKIM & DMARC Explained, 2024)

What DKIM does well

  • Ensures message integrity
  • Survives forwarding
  • Proves the message was signed by your domain

Where DKIM fails

  • A valid DKIM signature doesn’t guarantee the sender is legitimate
  • Attackers can still spoof visible “From” addresses

DKIM helps protect the message itself, but it does not enforce any policy.

DMARC: The Policy That Makes SPF and DKIM Matter

DMARC (Domain-based Message Authentication, Reporting & Conformance) is where everything comes together. (DMARC, 2015)DMARC:

  • Tells receiving servers how to evaluate SPF and DKIM
  • Requires alignment with the visible “From” domain
  • Defines what to do when authentication fails (DMARC.org: Domain-based Message Authentication, Reporting and Conformance (DMARC), 2020)

Without DMARC:

  • SPF and DKIM results are ignored
  • Spoofed emails still get delivered
  • You have no enforcement or visibility

DMARC uses SPF and DKIM results to make decisions. (DMARC, 2015)

Alignment: The Part Most People Miss

DMARC isn’t just about pass or fail.

It checks alignment:

  • Does the SPF or DKIM domain match the “From” domain users see? (DMARC, SPF, and DKIM Alignment, 2023)

If not:

  • DMARC fails
  • Spoofed emails can be rejected

This is why attackers dislike DMARC. It closes the gap that allows impersonation.

Why “DMARC = none” Is Not Protection

A DMARC policy set to p=none only does one thing:📊 Collects reports

It does not:

  • Block phishing
  • Quarantine spoofed emails
  • Protect your brand

Setting p=none is just for monitoring. It does not act as a security control (DMARC Warning about lack of protection against phishing and spoofing threats, 2025).

The Minimum Secure Setup

At a minimum, organizations should have:

  • ✅ SPF with only required senders
  • ✅ DKIM enabled for all mail sources
  • ✅ DMARC set to quarantine or reject (Best Practices: Email Authentication - SPF, DKIM, and DMARC, 2017)

This combination:

  • Prevents domain spoofing
  • Protects users and customers
  • Signals trust to receiving mail server (Businesses Can Help Stop Phishing and Protect their Brands, 2024)s

If you do less than this, your setup is not complete.

Why This Still Gets Missed

Because:

  • Email “works,” so no one looks deeper
  • Responsibility falls between IT and security
  • DNS feels uncomfortable to touch
  • There’s no alert when DMARC is missing

Attackers are aware of this and exploit it regularly (Shen et al., 2020).

Final Thought

SPF, DKIM, and DMARC are not optional extras.

They are one system, not three separate controls.


Written by Jaspreet Singh — Microsoft identity & security practitioner. Author at ITBlogs.ca. Lab notes and testing at f11.ca.


References

(n.d.). SPF Records for Approved Senders. Dyn Help Center. https://help.dyn.com/spf-records-for-approved-senders.html

(2011). DomainKeys Identified Mail (DKIM) Signatures. RFC 6376. https://datatracker.ietf.org/doc/html/rfc6376

(2024). Email Authentication: SPF, DKIM & DMARC Explained. YouTube video. https://www.youtube.com/watch?v=IXF3YucGy7M

(2015). DMARC. IETF RFC 7489. https://datatracker.ietf.org/doc/html/rfc7489

(2020). DMARC.org: Domain-based Message Authentication, Reporting and Conformance (DMARC). DMARC.org. https://dmarc.org/draft-dmarc-base-00-01.html

(2015). DMARC. IETF RFC 7489. https://datatracker.ietf.org/doc/html/rfc7489

(2023). DMARC, SPF, and DKIM Alignment. Sendmarc Help Center. https://help.sendmarc.com/dmarc-spf-and-dkim-alignment

(2025). DMARC Warning about not being protected against phishing and spoofing threats. DMARC Report. https://support.dmarcreport.com/support/solutions/articles/5000896904-dmarc-warning-about-not-being-protected-against-phishing-and-spoofing-threats

(2017). Best Practices: Email Authentication - SPF, DKIM, and DMARC. Internet Society. https://www.internetsociety.org/resources/ota/2017/email-authentication-dmarc/

(October 31, 2024). Businesses Can Help Stop Phishing and Protect their Brands. Federal Trade Commission. https://www.ftc.gov/system/files/documents/reports/businesses-can-help-stop-phishing-protect-their-brands-using-email-authentication-ftc-staff/email_authentication_staff_perspective.pdf

Shen, K., Wang, C., Guo, M., Zheng, X., Lu, C., Liu, B., Zhao, Y., Hao, S., Duan, H., Pan, Q. & Yang, M. (2020). Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks. arXiv preprint arXiv:2011.08420. https://doi.org/10.48550/arXiv.2011.08420

How Attackers Use Inbox Rules (And Why Most Breaches Go Unnoticed)