--- title: "Comparison Between SPF, DKIM, and DMARC | DuoCircle" description: "Duocircle · Comparison Between SPF, DKIM, and DMARC SPF, DKIM, and DMARC were introduced to the world to help verify an email sender’s authenticity and if any." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/blog/email-security/comparison-between-spf-dkim-and-dmarc/" --- Quick Answer SPF, DKIM, and DMARC are three different email authentication mechanisms that solve overlapping problems. SPF (Sender Policy Framework) is an allowlist: publish the IPs and mail servers authorized to send for your domain, and receivers reject or softfail mail from anything else. SPF breaks on forwarding (the forwarder's IP isn't in your record), authenticates the MAIL FROM not the visible From, and limits records to 10 DNS lookups before permerror. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound mail using a private key, which the receiver verifies against the public key in DNS. DKIM survives forwarding, but signature-tampering issues exist, and DKIM alone doesn't tell receivers what to do on failure. DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on top: it requires SPF or DKIM to pass and to align with the From domain, defines a policy (none, quarantine, reject) for failures, and produces aggregate reports so domain owners see who's sending as them. The three are not alternatives; they're a stack. SPF and DKIM each leave gaps that DMARC closes. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Fcomparison-between-spf-dkim-and-dmarc%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Comparison%20Between%20SPF%2C%20DKIM%2C%20and%20DMARC&url=undefined%2Fblog%2Femail-security%2Fcomparison-between-spf-dkim-and-dmarc%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Fcomparison-between-spf-dkim-and-dmarc%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Fcomparison-between-spf-dkim-and-dmarc%2F&title=Comparison%20Between%20SPF%2C%20DKIM%2C%20and%20DMARC "Share on Reddit") [ ](mailto:?subject=Comparison%20Between%20SPF%2C%20DKIM%2C%20and%20DMARC&body=Check out this article: undefined%2Fblog%2Femail-security%2Fcomparison-between-spf-dkim-and-dmarc%2F "Share via Email") ![DuoCircle blog post image](https://media.mailhop.org/duocircle/images/2023/11/SPF-record-checker.jpg) SPF, DKIM, and [DMARC](/resources/what-is-dmarc) were introduced to the world to help verify an **email sender’s authenticity** and if any changes were made to the content in transit. Their adoption has been slow, partly because businesses don’t have clarity on their functions. In this article, we have explained and compared these three [email authentication](/resources/email-authentication) protocols for a **clearer understanding**, which can consequently boost decision-making. ## SPF ### What is SPF SPF is short for [Sender Policy Framework](/content/sender-policy-framework). The concept was first discussed in the late 1990s, and the protocol was made public after years of development. It’s based on the principles of allowlisting, where emails sent from your domain using only **pre-specified sending sources** are considered authorized. All other senders are flagged as suspicious. ### How Does it Work? SPF includes an [SPF record](/content/spf-records/spf-record-example) where you enlist all the **IP addresses** and mail servers that you officially permit to dispatch messages on behalf of your company or brand. _This list includes sending sources of employees, CXOs, third-party vendors, etc._ Along with the sending sources, you also use **SPF syntaxes** to reflect some details and to instruct recipients’ mail servers on how to manage unauthorized emails sent from your domain. This is specifically done using the [‘all’ mechanism](/content/spf-validator/spf-all#:~:text=Using%20'%2Dall'%20is%20interpreted,server%20is%20to%20reject%20it.); \~all (soft fail) directs a recipient’s server to place suspicious messages in the spam folder, whereas -all (hard fail) tells to reject the entry of such messages. The idea behind this is to **minimize** the likelihood of receivers (victims of phishing attacks) [opening potentially fraudulent messages](https://cybersecuritynews.com/phishing-emails-generated-by-chatgpt/) and getting manipulated, followed by cyber exploitation. [![SPF records](https://media.mailhop.org/duocircle/images/2023/11/SMTP-email-4217.jpg)](https://media.mailhop.org/duocircle/images/2023/11/SMTP-email-4217.jpg) ### Plus Points of SPF - It segregates legitimate and illegitimate messages at the receiver’s end, which minimizes the instances of successful [phishing attacks](https://www.miragenews.com/910-senior-managers-see-phishing-as-rising-1124320/). - SPF-compliant domains have a **better email delivery rate**. - _It improves email marketing ROI_. ### Minus Points of SPF - **SPF breaks when emails are forwarded**, which means your IP address won’t be included, and a genuine message can be misidentified as spam. - SPF authentication is performed on the specific [return-path/mailfrom domain](https://mxtoolbox.com/dmarc/spf/setup/spf-return-path) and not from the address that receivers typically see. This means that a threat actor can transmit a message from a domain they control but use a different sender address. An average recipient doesn’t bother to inspect the return-path or mailfrom address, which creates a vulnerable situation. - SPF records should be **maintained and monitored regularly**. You need to add or remove IP addresses constantly to avoid discrepancies. - _You can’t exceed the limit of 10 DNS lookups and 2 void lookups;_ otherwise, a [SPF Permerror](/content/spf-permerror) will occur. However, tools like [AutoSPF](https://autospf.com/) make things easier by compressing SPF records. - A few mailbox providers use **SPF and DKIM** to conduct authentication checks. However, SPF doesn’t empower domain owners to guide mailbox providers on how to handle a message in cases where the authentication checks cannot be verified. ## DKIM ### What is DKIM? [DKIM](/resources/what-is-dkim) is an acronym for DomainKeys Identified Mail. It uses **cryptography** to conduct authentication checks and verify if a message’s content was tampered with in transit. A [DKIM signature](/email-hosting/what-is-dkim-and-why-you-should-use-it-to-secure-your-email/) is attached to an **outgoing email’s header**, which is validated at the recipient’s end. ### How Does DKIM Work? A DKIM administrator generates a pair of cryptographically-protected public and private keys. The **private key is secretly stored** with the domain owner, while the public key is published in the DNS so recipients’ servers can retrieve it for verification. Upon receiving an email from your domain, the recipient’s server extracts the public key to decrypt the DKIM signature attached to the [email header](https://proton.me/blog/what-are-email-headers#:~:text=An%20email%20header%20is%20a,visible%20header%20at%20the%20top.). _If the decrypted **signature matches** the calculated hash of the email content, the email is considered authentic and hasn’t been tampered with during transit._ ### Plus Points of DKIM - It is **difficult to bypass** DKIM verification checks as it’s based on the cryptography method. - _It doesn’t break on forwarding_. - DKIM decreases the likelihood of [spammers altering the content of the message](https://www.foxnews.com/us/facebook-messenger-phishing-scam-stealing-millions-passwords). ### Minus Points of DKIM - _DKIM **doesn’t allow** domain owners to instruct mailbox providers relying on SPF and DKIM for verifying authenticity on how to handle a message that fails authentication checks._ - **DKIM relaying issues** can be triggered if it passes through multiple intermediate mail servers. - [A person with malicious intent can compose an email using a trustworthy domain, sign it with DKIM](https://www.infosecurity-magazine.com/news/docusign-impersonation-attack/), and subsequently send it to any email inbox. This email, now authenticated with a DKIM signature, can be obtained as a signed version and **forwarded to numerous recipients** without encountering any restrictions. ## DMARC ### What is DMARC? DMARC stands for Domain-Based Message Authentication, Reporting & Conformance. This protocol works in accordance with **SPF and DKIM** results to conduce an email’s authenticity. It [prevents email spoofing and phishing](https://thehackernews.com/2020/12/how-dmarc-can-stop-criminals-sending.html) by helping you decide how you want receivers’ mail servers to treat unauthorized messages sent from your domain. ### How Does DMARC Work? DMARC empowers domain owners to instruct how mailbox providers should **manage unauthorized emails** sent from your domain. You can set your [DMARC record](/resources/create-dmarc-records) to these policies- #### None (p=none) This is also called the **monitoring policy**, as no action is taken against unauthorized emails. [![spam folders](https://media.mailhop.org/duocircle/images/2023/11/hosted-email-server-2518.jpg)](https://media.mailhop.org/duocircle/images/2023/11/hosted-email-server-2518.jpg) #### Quarantine (p=quarantine) _Unauthorized emails are placed in the [spam folders](https://www.pcmag.com/encyclopedia/term/spam-folder#:~:text=Also%20called%20a%20%22junk%20folder,that%20the%20message%20is%20junk.)._ #### Reject (p=reject) Unauthorized emails are **sent back**. To minimize the instances of **false positives**, you can use the [percentage tag](https://mxtoolbox.com/dmarc/details/dmarc-tags/dmarc-percentage#:~:text=The%20DMARC%20Percentage%20Tag%20%28pct,incoming%20messages%20that%20fail%20DMARC.) to apply the policy to only a pre-specified percentage of emails. ### Plus Points of DMARC - You can choose to receive [aggregate and forensic reports](/resources/dmarc-aggregate-report) to get insights on your domain reputation and identify if an unauthorized sending source is [exploiting your brand name](https://www.bbc.com/news/business-66184678). - It makes your email **easily locatable** across the network of DMARC-capable receivers. - Your **domain reputation improves**. ### Minus Points of DMARC - [False positives for legitimate messages](https://debounce.io/glossary/false-positive/#:~:text=This%20occurrence%2C%20known%20as%20a,and%20potentially%20damaging%20their%20reputation.), which impact communication with clients, prospects, colleagues, vendors, etc., and hit the **email-marketing ROI**. ## The Final Comparison Here’s what you can gather from the above guide- | SPF | DKIM | | ------------------------------------------------------------------------------------- | -------------------------------------------------------------------- | | SPF permits domain owners to specify sending sources authorized to transmit messages. | DKIM uses encryption and digital signatures to confirm authenticity. | | Encryption is not used. | Encryption is used. | | It may break on forwarding. | It doesn’t break on forwarding. | | SPF | DMARC | | ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | | Domain owners don’t receive reports. | Domain owners can choose to receive aggregate and forensic reports. | | You can’t apply the ‘all’ mechanism to only a specific percentage of outgoing emails. | You can apply DMARC policies to a certain percentage of outgoing messages. | | DMARC | DKIM | | --------------------------------------------------- | ----------------------------------------------------------------- | | You require SPF and/or DKIM to implement DMARC. | DKIM can be deployed independently. | | DMARC suggests what to do with illegitimate emails. | DKIM verifies if an email’s content was tampered with in transit. | ## Conclusion Each protocol has some pluses and minuses, but together, they complement and complete each other. That’s why this trio should be implemented to attain the **highest possible level of security** against [email-based menaces](/email-hosting/the-top-three-email-based-threats-and-how-to-avoid-them/). **DuoCircle** comes to your disposal for all things associated with [email security](/content/email-security-services), deliverability, and routing. [Reach out to us](/contact) to get your email-oriented [cybersecurity](/) sorted. ## Topics DMARCemail securityUpdates ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) Brad Slavin General Manager General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio. ## Secure your email infrastructure Protect, authenticate, and deliver. Contact our team to find the right solution. [Contact Sales](/contact/) [Explore Products](/products/) ## Related Articles [ Email Security 8m Best Practices to Follow When Implementing SPF, DKIM, and DMARC Mar 19, 2024 ](/blog/email-security/best-practices-to-follow-when-implementing-spf-dkim-and-dmarc/)[ Email Security 3m Best Ways to Secure Emails in 2024 Apr 26, 2024 ](/blog/email-security/best-ways-to-secure-emails-in-2024/)[ Email Security 8m Configuring DKIM to sign mail from your Microsoft 365 domain Jun 27, 2024 ](/blog/email-security/configuring-dkim-sign-mail-from-your-microsoft-365-domain/)[ Email Security 3m A Step-by-Step Guide For Adding SPF, DKIM, and DMARC Records to AWS DNS-Route 53 Jun 13, 2024 ](/blog/email-security/how-to-add-spf-dkim-dmarc-records-aws-route-53/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Comparison Between SPF, DKIM, and DMARC","description":"Duocircle · Comparison Between SPF, DKIM, and DMARC SPF, DKIM, and DMARC were introduced to the world to help verify an email sender’s authenticity and if any.","url":"https://www.duocircle.com/blog/email-security/comparison-between-spf-dkim-and-dmarc/","datePublished":"2023-11-16T18:12:08.000Z","dateModified":"2025-04-07T18:09:35.000Z","dateCreated":"2023-11-16T18:12:08.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/comparison-between-spf-dkim-and-dmarc/"},"articleSection":"email-security","keywords":"DMARC, email security, Updates","wordCount":1136,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/11/SPF-record-checker.jpg","caption":"DuoCircle blog post image","width":1000,"height":706},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"Comparison Between SPF, DKIM, and DMARC","item":"https://www.duocircle.com/blog/email-security/comparison-between-spf-dkim-and-dmarc/"}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Comparison Between SPF, DKIM, and DMARC","item":"https://www.duocircle.com/blog/email-security/comparison-between-spf-dkim-and-dmarc/"}]} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Comparison Between SPF, DKIM, and DMARC","description":"Duocircle · Comparison Between SPF, DKIM, and DMARC SPF, DKIM, and DMARC were introduced to the world to help verify an email sender’s authenticity and if any.","url":"https://www.duocircle.com/blog/email-security/comparison-between-spf-dkim-and-dmarc/","datePublished":"2023-11-16T18:12:08.000Z","dateModified":"2025-04-07T18:09:35.000Z","dateCreated":"2023-11-16T18:12:08.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/comparison-between-spf-dkim-and-dmarc/"},"articleSection":"email-security","keywords":"DMARC, email security, Updates","wordCount":1136,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/11/SPF-record-checker.jpg","caption":"DuoCircle blog post image","width":1000,"height":706},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ```