DKIM vs DMARC — What's the difference?

DKIM signs messages cryptographically to prove authenticity. DMARC adds alignment, policy enforcement, and reporting. Both are required for complete anti-spoofing protection.

What DKIM does

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The sending server signs the message with a private key, and the corresponding public key is published as a DNS TXT record at <selector>._domainkey.<domain>.

Receiving servers retrieve the public key and verify the signature, confirming the message came from an authorised server and has not been altered in transit.

Because DKIM signs the message itself, signatures survive email forwarding — unlike SPF, which breaks when the forwarding server's IP is not in the original SPF record.

What DMARC does

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on DKIM and SPF. It adds three capabilities neither provides alone:

Alignment. DMARC requires that the domain in the visible From: header matches the domain authenticated by DKIM or SPF.

Policy enforcement. DMARC publishes a policy (p=none, p=quarantine, or p=reject) telling receivers what to do when authentication fails.

Reporting. DMARC aggregate reports show who is sending email on behalf of your domain and which messages are failing authentication.

DKIM vs DMARC: key differences

DKIM authenticates a message by verifying a cryptographic signature. DMARC defines what receivers should do when authentication fails.

DKIM validates message integrity and origin. DMARC validates alignment between the authenticated domain and the visible From: header.

DKIM alone cannot instruct receivers to reject or quarantine spoofed messages. DMARC provides this instruction through the p= tag.

DKIM alone provides no reporting. DMARC aggregate reports give visibility into spoofing attempts and authentication failures.

Why DKIM alone is not enough

DKIM proves a message was signed by an authorised server but does not define how receivers should treat messages that fail DKIM.

Without DMARC, there is no alignment check between the signing domain and the visible From: header. Attackers can send signed emails from their own domain while spoofing your From: address.

Without DMARC, there is no reporting. You cannot detect whether your domain is being spoofed or which senders are failing authentication.

How DMARC uses DKIM alignment

DMARC DKIM alignment requires that the d= domain in the DKIM-Signature header matches the domain in the visible From: header.

Relaxed alignment (the default) allows organisational domain matches. A message signed with d=mail.example.com passes alignment for example.com.

Strict alignment requires an exact domain match between d= and the From: domain.

DMARC passes if DKIM passes with alignment OR if SPF passes with alignment. Having both makes DMARC more resilient.

DMARC policies explained

p=none — Monitoring only. Messages are delivered normally but aggregate reports are sent. Use this to understand your email infrastructure.

p=quarantine — Messages that fail DMARC are moved to the spam or junk folder. Provides meaningful protection with lower rejection risk.

p=reject — Messages that fail DMARC are rejected at the SMTP level. This is the strongest protection against domain spoofing.

The recommended approach is p=none first, then p=quarantine, then p=reject once all legitimate senders pass authentication.

Should you implement DKIM or DMARC first?

Implement SPF first. It establishes which servers are authorised to send email for your domain and is the quickest to deploy.

Add DKIM second. Your email provider will generate a key pair and guide you through adding the DNS record.

Add DMARC third, starting with p=none to collect aggregate reports. Review the reports, confirm all legitimate senders pass alignment, then move to p=quarantine and finally p=reject.

How to check DKIM and DMARC

Use MXFend's DKIM Checker to validate a specific DKIM selector, verify the DNS record exists, and check for key configuration issues.

Use MXFend's DMARC Checker to verify your DMARC record, check the policy level, and detect missing or weak configurations.

Run the MXFend Email Security Score for a complete audit covering DKIM, DMARC, SPF, blacklists, SMTP TLS, and more.

Frequently asked questions

Can DKIM work without DMARC?

Yes, but enforcement and reporting are missing. Without DMARC, receivers have no policy instruction for failed authentication and you receive no reports about spoofing attempts.

Does DMARC require DKIM?

DMARC works with DKIM and/or SPF. If at least one passes with alignment, DMARC can pass. Using both DKIM and SPF makes DMARC more resilient.

What happens if DKIM passes but DMARC fails?

DKIM may pass signature verification but DMARC can still fail if the d= domain in the DKIM signature does not align with the From: header domain. Alignment is required in addition to DKIM passing.

Should I use p=reject?

Yes, once you have validated that all legitimate senders pass DKIM or SPF alignment. Start with p=none, move to p=quarantine, then use p=reject for maximum protection against domain spoofing.

Run Email Security Score
Related MXFend tools
DKIM Checker
Validate a DKIM selector and DNS record.
DMARC Checker
Check your DMARC policy and enforcement.
SPF Checker
Check whether your SPF record is present and safe.
Email Security Score
Complete domain report for authentication, reputation, and transport security.
MXFend

Free email deliverability tools for domains.

Tools
Email Deliverability Checker SPF Checker DMARC Checker MX Checker
Guides
Email auth guide Emails going to spam Domain reputation SMTP TLS MTA-STS TLS-RPT
© 2026 MXFend. All rights reserved.