Email Authentication

DKIM and SPF

DKIM cryptographically signs messages while SPF authorizes sending IPs; together they strengthen authentication under DMARC.

Intermediate · 7 min read · Reviewed Jul 4, 2026

Quick answer

DKIM adds a cryptographic signature tied to a domain selector in DNS, proving message integrity and signer identity. SPF authorizes sending IP addresses via DNS policy. Receivers may use either or both for DMARC alignment with the From domain. SPF and DKIM solve different problems and should be implemented together for robust authentication.

Beginner explanation

SPF and DKIM are complementary, not competing. SPF answers whether the sending server was allowed to mail as your domain. DKIM answers whether the message was signed by a holder of your domain's private key and unchanged in transit.

A message can pass SPF but fail DKIM if content is altered or unsigned. It can pass DKIM but fail SPF if sent from an unauthorized IP. DMARC gives receivers a framework for deciding when either aligned success is enough.

Implementing both protects more scenarios than either alone, especially when third-party senders use their own IPs but sign on your behalf.

Technical explanation

DKIM publishes a public key in a DNS TXT record at selector._domainkey.example.com. Outbound mail servers sign selected headers and body hashes with the corresponding private key. Receivers verify the signature and extract the signing domain d= for alignment checks.

SPF evaluates earlier in delivery, at SMTP connection time, using the envelope domain. DKIM verification happens after message data is received. Authentication-Results headers document both outcomes for downstream filters and user clients.

Operational teams should coordinate SPF includes and DKIM CNAME or TXT setups when onboarding vendors. Many platforms support easy DKIM while customers forget SPF, leading to partial authentication that fails strict DMARC policies.

Business impact

Together, SPF and DKIM reduce fraud and improve inbox placement. Messages with dual authentication present stronger trust signals to Gmail, Yahoo, Microsoft, and enterprise filters.

Compliance and security reviews increasingly expect both controls. SPF-only deployments leave gaps when mail is forwarded or when senders use pools that change IPs faster than DNS updates.

Common mistakes

- Configuring DKIM in a vendor console without adding the vendor to SPF
- Rotating DKIM keys without updating DNS selectors promptly
- Expecting SPF to protect message content integrity, which only DKIM signatures address

How SPF Manager helps

SPF Manager focuses on SPF depth while pointing to alignment requirements that involve DKIM. It highlights sending streams where SPF pass alone will not satisfy DMARC and suggests coordinated fixes.

Holistic domain dashboards help teams track authentication coverage across employee and vendor channels.

Recommended next step

See how this applies to your domain before you change DNS.

Analyze my domain

Related articles

Email Authentication

What is SPF Email Authentication?

SPF email authentication lets domain owners publish which servers may send mail using their domain, helping receivers detect spoofing.

Beginner 6 min read

Email Authentication

DMARC and SPF

DMARC builds on SPF and DKIM by defining alignment rules and reporting what receivers see when mail claims your domain.

Intermediate 8 min read

Deliverability

SPF and Email Deliverability

Correct SPF improves deliverability by giving receivers a trusted signal that your mail comes from authorized infrastructure.

Beginner 7 min read

SPF Basics

What is an SPF Record?

An SPF record is a DNS TXT entry that lists which mail servers are allowed to send email on behalf of your domain.

Beginner 6 min read