SPF, DKIM and DMARC Explained (How Email Authentication Works)

Q: What is the difference between SPF, DKIM and DMARC?

SPF (RFC 7208) checks whether the sending server IP is authorized to send for the envelope sender domain using a DNS TXT record. DKIM (RFC 6376) adds a cryptographic signature that the receiver verifies against a public key in the sender domain DNS, proving the signed message was not altered and came from that domain. DMARC (RFC 7489) ties the two together by requiring alignment with the visible From domain and lets the domain owner publish a policy for what to do when checks fail.

Q: What does SPF do in email?

SPF, the Sender Policy Framework defined in RFC 7208, lets a domain publish a DNS TXT record listing which mail servers may send on its behalf. When a message arrives, the receiver compares the sending IP against that list for the envelope return-path domain and records a pass or fail. SPF authenticates the sending server, not the message contents, and it does not encrypt anything.

Q: What does DKIM pass mean?

A DKIM pass means the receiver verified the cryptographic signature in the DKIM-Signature header against the public key published in the sending domain DNS. This confirms the signed parts of the message were not modified in transit and that the message was authorized by the domain that owns the signing key. DKIM proves the message is tied to a domain; it does not prove the identity of the individual person and it does not encrypt the message.

Q: How do I read an Authentication-Results header?

The Authentication-Results header (RFC 8601) is added by the receiving mail server and summarizes each check, typically showing entries like spf=pass, dkim=pass and dmarc=pass or fail, each paired with the domain it was evaluated against. Because this header is stamped by the receiver, it is only trustworthy when it comes from a mail system you trust, since forged upstream copies can be misleading.

Q: What does a DMARC policy of p=none, quarantine or reject mean?

DMARC (RFC 7489) lets a domain owner publish a policy telling receivers how to handle mail that fails authentication and alignment. p=none means monitor only and take no action, usually just collecting reports; p=quarantine asks receivers to treat failing mail as suspicious and often route it to spam; and p=reject asks receivers to block failing mail outright. The policy applies only when SPF or DKIM fails to pass with proper alignment to the From domain.

~/sheets/spf-dkim-dmarc-explained.md

The Three Checks That Prove an Email Is Real
SPF, DKIM and DMARC are the three standards that let a receiving mail server decide whether an email genuinely came from the domain it claims. They work together, but each answers a different question. None of them encrypt your message; they authenticate it, which is a separate job from transport encryption. You can run these checks on any domain with our Email Auth checker, and see the results inside a real message with the Email Header Analyzer.
SPF: Is the Sending Server Allowed?
SPF (Sender Policy Framework, defined in RFC 7208) lets a domain publish a DNS TXT record listing which mail servers are allowed to send email on its behalf. When a message arrives, the receiver compares the sending server IP against that list for the envelope return-path domain and records a pass or fail. SPF authenticates the sending server, not the contents of the message, and it checks the envelope sender rather than the From address you see.
DKIM: A Cryptographic Signature on the Message
DKIM (DomainKeys Identified Mail, RFC 6376) adds a cryptographic signature to the message in the DKIM-Signature header. The receiver verifies that signature against a public key the sending domain publishes in DNS. A DKIM pass proves two things: the signed parts of the message were not altered in transit, and the message was authorized by the domain that holds the signing key. Importantly, DKIM proves the message is tied to a domain, not the identity of an individual human, and like SPF it does not encrypt anything.
DMARC: Alignment Plus a Policy
DMARC (Domain-based Message Authentication, Reporting and Conformance, RFC 7489) builds on top of SPF and DKIM. It requires that a passing SPF or DKIM result be aligned with the visible From domain, and it lets the domain owner publish a policy in DNS telling receivers what to do with mail that fails: p=none (monitor only), p=quarantine (treat as suspicious, often route to spam), or p=reject (block outright). A message can pass SPF or DKIM and still fail DMARC if neither passing check is aligned with the From domain.
How to Read an Authentication-Results Header
The Authentication-Results header (RFC 8601) is stamped by the receiving server and summarizes every check, with entries like spf=pass, dkim=pass and dmarc=pass, each paired with the domain it was evaluated against. For a legitimate message from a well-configured sender, all three usually pass. Because the header is added by the receiver, it is only trustworthy when it comes from a mail system you trust, since a forged upstream copy can be misleading. This is why these three checks exist: the visible From line can be forged, but a verifiable signature and a published policy cannot.
Frequently Asked Questions
What is the difference between SPF, DKIM and DMARC?
SPF (RFC 7208) checks whether the sending server IP is authorized to send for the envelope sender domain using a DNS TXT record. DKIM (RFC 6376) adds a cryptographic signature that the receiver verifies against a public key in the sender domain DNS, proving the signed message was not altered and came from that domain. DMARC (RFC 7489) ties the two together by requiring alignment with the visible From domain and lets the domain owner publish a policy for what to do when checks fail.
What does SPF do in email?
SPF, the Sender Policy Framework defined in RFC 7208, lets a domain publish a DNS TXT record listing which mail servers may send on its behalf. When a message arrives, the receiver compares the sending IP against that list for the envelope return-path domain and records a pass or fail. SPF authenticates the sending server, not the message contents, and it does not encrypt anything.
What does DKIM pass mean?
A DKIM pass means the receiver verified the cryptographic signature in the DKIM-Signature header against the public key published in the sending domain DNS. This confirms the signed parts of the message were not modified in transit and that the message was authorized by the domain that owns the signing key. DKIM proves the message is tied to a domain; it does not prove the identity of the individual person and it does not encrypt the message.
How do I read an Authentication-Results header?
The Authentication-Results header (RFC 8601) is added by the receiving mail server and summarizes each check, typically showing entries like spf=pass, dkim=pass and dmarc=pass or fail, each paired with the domain it was evaluated against. Because this header is stamped by the receiver, it is only trustworthy when it comes from a mail system you trust, since forged upstream copies can be misleading.
What does a DMARC policy of p=none, quarantine or reject mean?
DMARC (RFC 7489) lets a domain owner publish a policy telling receivers how to handle mail that fails authentication and alignment. p=none means monitor only and take no action, usually just collecting reports; p=quarantine asks receivers to treat failing mail as suspicious and often route it to spam; and p=reject asks receivers to block failing mail outright. The policy applies only when SPF or DKIM fails to pass with proper alignment to the From domain.
Last updated: April 2026