SPF vs DMARC — What's the difference?

What SPF does

SPF (Sender Policy Framework) publishes a DNS TXT record listing the IP addresses or hostnames authorised to send email for your domain.

When a receiving server gets a message, it checks the MAIL FROM address against the SPF record and verifies that the sending IP is listed.

SPF has no enforcement policy of its own. Even if SPF fails, the receiving server decides independently what to do with the message. SPF also breaks during forwarding because the forwarding server's IP is not in the original SPF record.

What DMARC does

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM. It adds three things SPF cannot provide on its own:

Alignment. DMARC requires that the domain in the visible From: header matches the domain that passed SPF or DKIM.

Policy enforcement. DMARC publishes a policy (p=none, p=quarantine, or p=reject) telling receivers what to do when authentication fails.

Reporting. DMARC aggregate and forensic reports give you visibility into who is sending email on behalf of your domain.

SPF vs DMARC: key differences

SPF authenticates the sending server's IP address. DMARC defines what receivers should do when authentication fails.

SPF checks the MAIL FROM address used in the SMTP session. DMARC checks alignment between the authenticated domain and the visible From: header.

SPF has no built-in enforcement or reporting. DMARC adds both.

SPF alone cannot prevent visible From: header spoofing. DMARC closes this gap by requiring alignment to the From: domain.

Why SPF alone is not enough

SPF only validates the envelope sender in the SMTP session, not the visible From: header recipients see. Spammers can pass SPF while still spoofing the display From: address.

SPF fails during email forwarding, which is common in mailing lists and email redirection setups.

Without DMARC, there is no policy telling receivers to quarantine or reject messages that fail SPF. There are also no reports to help you detect spoofing or misconfigured senders.

How DMARC uses SPF

For DMARC alignment with SPF, the domain in the MAIL FROM address must match the domain in the visible From: header.

Relaxed alignment (the default) allows organisational domain matches. A message from mail.example.com can pass alignment for example.com.

Strict alignment requires an exact domain match.

DMARC passes if SPF passes with alignment OR if DKIM passes with alignment. Having both makes your email authentication more resilient.

DMARC policies explained

p=none — Monitoring only. Receivers deliver the message regardless of authentication result and send you reports. Use this to understand your sending infrastructure before enforcing.

p=quarantine — Messages that fail DMARC are sent to the spam or junk folder. Provides meaningful protection with reduced rejection risk.

p=reject — Messages that fail DMARC are rejected at the SMTP level before delivery. This is the strongest protection against spoofing.

The recommended rollout is p=none first, then p=quarantine, then p=reject once you are confident all legitimate senders pass authentication.

Should you implement SPF or DMARC first?

Implement SPF first. It is the quickest to deploy and immediately establishes which servers can send on your behalf.

Add DKIM second. It provides a cryptographic signature that survives forwarding and strengthens DMARC alignment.

Add DMARC third, starting with p=none to collect aggregate reports. Review the reports to identify all legitimate senders, then move to p=quarantine and finally p=reject.

How to check SPF and DMARC

Use MXFend's SPF Checker to validate your SPF record, detect multiple records, dangerous mechanisms, and excessive DNS lookups.

Use MXFend's DMARC Checker to verify your DMARC record exists and to check the policy level and alignment settings.

Run the MXFend Email Security Score for a complete audit covering SPF, DKIM, DMARC, blacklists, SMTP TLS, and more.