1. Help Center
  2. FAQs
  3. Relationship between SPF DKIM DMARC

What is the relationship between SPF, DKIM, and DMARC?

SPF, DKIM, and DMARC work together to ensure the email is legitimate and hasn’t been tampered with. Here’s how each one contributes to email security:

1. SPF (Sender Policy Framework)

What SPF Does: SPF verifies that the email is coming from an authorized server for the domain it claims to be from.

How It Works:

  • SPF checks the Return-Path address, which is the email address used by the sending server to handle bounce-backs and delivery issues.
  • Think of SPF as a guest list for a party. SPF ensures that the IP address of the sending server is on the list of approved servers for the domain.

Example: If the domain example.com has an SPF record allowing only certain IP addresses to send emails, SPF will check if the sending server’s IP address is on this list.

2. DKIM (DomainKeys Identified Mail)

What DKIM Does: DKIM ensures that the email has not been altered in transit by adding a digital signature to the email’s headers.

How It Works:

  • DKIM acts like a wax seal on a letter, ensuring that the email’s content remains intact from sender to recipient.
  • The sender’s server creates a unique signature using a private key and adds it to the email headers.
  • The receiving server retrieves the public key from the sender’s DNS records to verify that the signature matches and that the email hasn’t been changed.

Example: The email includes a DKIM signature in its headers. The receiving server uses the public key to check if this signature matches the content of the email, ensuring it hasn’t been tampered with.

3. DMARC (Domain-based Message Authentication, Reporting & Conformance)

What DMARC Does: DMARC combines SPF and DKIM and adds an extra layer of verification by ensuring that the email aligns with the domain it claims to be from.

How It Works:

  • DMARC checks if the domain in the "From" address matches the domain used in SPF (Return-Path) and DKIM (d= domain).
  • If the domains match and the email passes SPF and/or DKIM checks, DMARC considers the email authentic. If not, it follows the domain’s policy on how to handle such emails (e.g., reject, quarantine, or accept).

Example: If an email’s "From" address is user@example.com, DMARC will check if this domain aligns with the domains used in SPF (Return-Path) and DKIM (d= domain). If everything matches, the email is trusted. If not, DMARC will enforce its policy on the email.

Summary

  • SPF checks if the sending server is authorized by looking at the Return-Path.
  • DKIM ensures the email’s content hasn’t been altered by using a digital signature.
  • DMARC ensures that the "From" address matches the Return-Path and DKIM domains, adding an extra layer of protection.

Together, SPF, DKIM, and DMARC protect your domain from hackers spoofing you by verifying the authenticity of the emails sent from your domain.