SPF vs DKIM — What's the difference?

What SPF does

SPF (Sender Policy Framework) validates which mail servers are authorised to send email on behalf of your domain.

It works by publishing a list of permitted IP addresses or hostnames as a DNS TXT record. When a receiving server accepts a message, it checks the envelope sender (MAIL FROM) against the SPF record.

SPF only validates the sending server's IP address. It does not sign the message content. Because of this, SPF breaks when email is forwarded, since the forwarding server is not listed in the original SPF record.

What DKIM does

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. The sending server signs each message with a private key, and the corresponding public key is published in DNS.

Receiving servers retrieve the public key and verify the signature, confirming that the message was sent by an authorised server and has not been modified in transit.

Because DKIM signs the message itself rather than validating the sending IP, DKIM signatures survive email forwarding.

SPF vs DKIM: key differences

SPF validates the sending server's IP address. DKIM validates a cryptographic signature on the message.

SPF uses DNS lookup to compare the sending IP against authorised senders. DKIM uses public-key cryptography to verify message integrity.

SPF breaks during email forwarding because the forwarding server's IP is not in the original SPF record. DKIM survives forwarding because the signature is attached to the message.

SPF cannot prevent visible From header spoofing by itself. DKIM cannot authorise sending servers by itself. Both are needed.

Why SPF alone is not enough

SPF only validates the envelope sender used during the SMTP session, not the visible From: header that recipients see. Spammers can pass SPF while still spoofing the display From: address.

SPF also breaks during email forwarding, which is common with mailing lists and email redirection services.

Without DKIM, DMARC alignment relies entirely on SPF passing with alignment, which forwarding scenarios make unreliable.

Why DKIM alone is not enough

DKIM proves a message was signed by an authorised server but does not define which servers are permitted to send on behalf of the domain.

Without SPF, there is no IP-based authorisation layer. Without DMARC, there is no policy telling receiving servers what to do when DKIM fails or is absent.

DKIM alone cannot prevent domain spoofing if DMARC is not enforced.

How SPF and DKIM work together with DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on both SPF and DKIM. It requires that at least one of them passes with alignment to the visible From: domain.

Alignment means the SPF domain or the DKIM signing domain matches the domain in the visible From: header.

DMARC lets you publish a policy (p=none, p=quarantine, or p=reject) telling receivers what to do when authentication fails. With both SPF and DKIM in place, DMARC is far more resilient across forwarding and third-party sending scenarios.

Which should you implement first?

Start with SPF. It is the quickest to deploy and immediately authorises your sending servers.

Add DKIM second. Your email provider will generate a key pair and guide you through publishing the DNS record.

Add DMARC third, beginning with p=none to collect reports. Once you confirm all legitimate mail passes SPF or DKIM alignment, move to p=quarantine and then p=reject.

How to check SPF and DKIM

Use MXFend's SPF Checker to validate your SPF record, detect multiple records, and check for dangerous mechanisms.

Use MXFend's DKIM Checker to validate a specific DKIM selector and verify the DNS record is correctly configured.

Run the MXFend Email Security Score for a complete audit covering SPF, DKIM, DMARC, blacklists, SMTP TLS, and more.