Email Authentication
DKIM and SPF
DKIM cryptographically signs messages while SPF authorizes sending IPs; together they strengthen authentication under DMARC.
Quick answer
DKIM adds a cryptographic signature tied to a domain selector in DNS, proving message integrity and signer identity. SPF authorizes sending IP addresses via DNS policy. Receivers may use either or both for DMARC alignment with the From domain. SPF and DKIM solve different problems and should be implemented together for robust authentication.
Beginner explanation
A message can pass SPF but fail DKIM if content is altered or unsigned. It can pass DKIM but fail SPF if sent from an unauthorized IP. DMARC gives receivers a framework for deciding when either aligned success is enough.
Implementing both protects more scenarios than either alone, especially when third-party senders use their own IPs but sign on your behalf.
Technical explanation
SPF evaluates earlier in delivery, at SMTP connection time, using the envelope domain. DKIM verification happens after message data is received. Authentication-Results headers document both outcomes for downstream filters and user clients.
Operational teams should coordinate SPF includes and DKIM CNAME or TXT setups when onboarding vendors. Many platforms support easy DKIM while customers forget SPF, leading to partial authentication that fails strict DMARC policies.
Business impact
Compliance and security reviews increasingly expect both controls. SPF-only deployments leave gaps when mail is forwarded or when senders use pools that change IPs faster than DNS updates.
Common mistakes
- Rotating DKIM keys without updating DNS selectors promptly
- Expecting SPF to protect message content integrity, which only DKIM signatures address
How SPF Manager helps
Holistic domain dashboards help teams track authentication coverage across employee and vendor channels.
Recommended next step
See how this applies to your domain before you change DNS.
Analyze my domainRelated articles
Email Authentication
What is SPF Email Authentication?
SPF email authentication lets domain owners publish which servers may send mail using their domain, helping receivers detect spoofing.
Email Authentication
DMARC and SPF
DMARC builds on SPF and DKIM by defining alignment rules and reporting what receivers see when mail claims your domain.
Deliverability
SPF and Email Deliverability
Correct SPF improves deliverability by giving receivers a trusted signal that your mail comes from authorized infrastructure.
SPF Basics
What is an SPF Record?
An SPF record is a DNS TXT entry that lists which mail servers are allowed to send email on behalf of your domain.