SPF, DKIM, and DMARC were introduced to the world to help verify an email sender’s authenticity and if any changes were made to the content in transit. Their adoption has been slow, partly because businesses don’t have clarity on their functions. 

In this article, we have explained and compared these three email authentication protocols for a clearer understanding, which can consequently boost decision-making.




What is SPF

SPF is short for Sender Policy Framework. The concept was first discussed in the late 1990s, and the protocol was made public after years of development. It’s based on the principles of allowlisting, where emails sent from your domain using only pre-specified sending sources are considered authorized. All other senders are flagged as suspicious. 


How Does it Work?

SPF includes an SPF record where you enlist all the IP addresses and mail servers that you officially permit to dispatch messages on behalf of your company or brand. This list includes sending sources of employees, CXOs, third-party vendors, etc. 

Along with the sending sources, you also use SPF syntaxes to reflect some details and to instruct recipients’ mail servers on how to manage unauthorized emails sent from your domain. This is specifically done using the ‘all’ mechanism; ~all (soft fail) directs a recipient’s server to place suspicious messages in the spam folder, whereas -all (hard fail) tells to reject the entry of such messages. 

The idea behind this is to minimize the likelihood of receivers (victims of phishing attacks) opening potentially fraudulent messages and getting manipulated, followed by cyber exploitation. 


Plus Points of SPF

  • It segregates legitimate and illegitimate messages at the receiver’s end, which minimizes the instances of successful phishing attacks.
  • SPF-compliant domains have a better email delivery rate.
  • It improves email marketing ROI.


Minus Points of SPF

  • SPF breaks when emails are forwarded, which means your IP address won’t be included, and a genuine message can be misidentified as spam.
  • SPF authentication is performed on the specific return-path/mailfrom domain and not from the address that receivers typically see. This means that a threat actor can transmit a message from a domain they control but use a different sender address. An average recipient doesn’t bother to inspect the return-path or mailfrom address, which creates a vulnerable situation. 
  • SPF records should be maintained and monitored regularly. You need to add or remove IP addresses constantly to avoid discrepancies.  
  • You can’t exceed the limit of 10 DNS lookups and 2 void lookups; otherwise, a SPF Permerror will occur. However, tools like AutoSPF make things easier by compressing SPF records.
  • A few mailbox providers use SPF and DKIM to conduct authentication checks. However, SPF doesn’t empower domain owners to guide mailbox providers on how to handle a message in cases where the authentication checks cannot be verified.



Image sourced from avasoft.com




What is DKIM?

DKIM is an acronym for DomainKeys Identified Mail. It uses cryptography to conduct authentication checks and verify if a message’s content was tampered with in transit. A DKIM signature is attached to an outgoing email’s header, which is validated at the recipient’s end. 


How Does DKIM Work?

A DKIM administrator generates a pair of cryptographically-protected public and private keys. The private key is secretly stored with the domain owner, while the public key is published in the DNS so recipients’ servers can retrieve it for verification.

Upon receiving an email from your domain, the recipient’s server extracts the public key to decrypt the DKIM signature attached to the email header. If the decrypted signature matches the calculated hash of the email content, the email is considered authentic and hasn’t been tampered with during transit.


Plus Points of DKIM


Minus Points of DKIM

  • DKIM doesn’t allow domain owners to instruct mailbox providers relying on SPF and DKIM for verifying authenticity on how to handle a message that fails authentication checks. 
  • DKIM relaying issues can be triggered if it passes through multiple intermediate mail servers
  • A person with malicious intent can compose an email using a trustworthy domain, sign it with DKIM, and subsequently send it to any email inbox. This email, now authenticated with a DKIM signature, can be obtained as a signed version and forwarded to numerous recipients without encountering any restrictions.





What is DMARC?

DMARC stands for Domain-Based Message Authentication, Reporting & Conformance. This protocol works in accordance with SPF and DKIM results to conduce an email’s authenticity. It prevents email spoofing and phishing by helping you decide how you want receivers’ mail servers to treat unauthorized messages sent from your domain.


How Does DMARC Work?

DMARC empowers domain owners to instruct how mailbox providers should manage unauthorized emails sent from your domain. You can set your DMARC record to these policies-


None (p=none)

This is also called the monitoring policy, as no action is taken against unauthorized emails.


Quarantine (p=quarantine)

Unauthorized emails are placed in the spam folders.


Reject (p=reject)

Unauthorized emails are sent back.


To minimize the instances of false positives, you can use the percentage tag to apply the policy to only a pre-specified percentage of emails. 


Plus Points of DMARC

  • You can choose to receive aggregate and forensic reports to get insights on your domain reputation and identify if an unauthorized sending source is exploiting your brand name
  • It makes your email easily locatable across the network of DMARC-capable receivers.
  • Your domain reputation improves.


Minus Points of DMARC



The Final Comparison

Here’s what you can gather from the above guide-


SPF permits domain owners to specify sending sources authorized to transmit messages. DKIM uses encryption and digital signatures to confirm authenticity. 
Encryption is not used. Encryption is used.
It may break on forwarding. It doesn’t break on forwarding.


Domain owners don’t receive reports. Domain owners can choose to receive aggregate and forensic reports.
You can’t apply the ‘all’ mechanism to only a specific percentage of outgoing emails. You can apply DMARC policies to a certain percentage of outgoing messages.


You require SPF and/or DKIM to implement DMARC. DKIM can be deployed independently
DMARC suggests what to do with illegitimate emails.  DKIM verifies if an email’s content was tampered with in transit. 



Each protocol has some pluses and minuses, but together, they complement and complete each other. That’s why this trio should be implemented to attain the highest possible level of security against email-based menaces

DuoCircle comes to your disposal for all things associated with email security, deliverability, and routing. Reach out to us to get your email-oriented cybersecurity sorted. 

Pin It on Pinterest

Share This