Compare SPF, DKIM, and DMARC: what each email authentication standard checks, how they work together, and why they matter for deliverability.
Updated Jul 10, 2026
SPF, DKIM, and DMARC are email authentication standards that work together. SPF checks whether a sending server is allowed to send for a domain. DKIM verifies that the message was signed by the domain and was not changed in transit. DMARC tells receiving mail servers what to do when SPF or DKIM checks fail and gives domain owners reporting visibility.
| Standard | What it checks | What it protects against | What it does not do |
|---|---|---|---|
| SPF | Whether the sending server is authorized for the domain | Basic domain spoofing from unauthorized servers | Message tampering after send |
| DKIM | Whether the message has a valid cryptographic signature | Message modification and forged mail without a valid signature | Policy decisions for failed messages |
| DMARC | Whether SPF or DKIM aligns with the visible From domain | Spoofing of the visible sender domain | Authentication by itself without SPF or DKIM |
For product and transactional email, all three matter. SPF and DKIM help mailbox providers verify that a message is legitimate. DMARC adds the policy layer that tells receivers whether to monitor, quarantine, or reject messages that fail authentication. Courier can manage notification templates, routing, and provider orchestration, but the sending domain still needs correct SPF, DKIM, and DMARC records for reliable delivery.
SPF stands for Sender Policy Framework. It allows you to cache a list of authorized IP addresses that are allowed to send emails to your customers on your behalf.
When sending an email, the receiving end would mainly check for a published SPF record. When it detects an SPF record, it searches through the list of authorized addresses for the record. If a valid record exists, the validations are marked as "PASS." Otherwise, the email would be rejected and routed to the spam folder.
However, when used in isolation without DKIM and DMARC, it has some limitations.
PowerSPF, which allows you to optimize and simplify your SPF record to stay under the limit.Since SPF is limited in its ability to prevent domain spoofing on its own, implementing SPF alone does not provide any protection against email fraud. However, it can offer strong anti-spoofing protection when combined with DKIM and DMARC technology.
DKIM stands for Domain Keys Identified Mail. DKIM is a stronger authentication method than SPF since it uses public-key cryptography instead of IP addresses.
When using DKIM, a sender can attach DKIM signatures to email headers and validate them using a public cryptographic key found in the company's DNS record. The domain owner publishes the cryptographic key and configures it as a TXT record in its general DNS record.
Both DKIM and SPF can add a TXT record to the DNS. However, we must still generate a public and private key for DKIM protocols.
When a new email is sent through the outgoing mail server, the message header contains a private key for encrypting the email signature. The public key hash is stored in a DNS TXT record. The receiving party (incoming mail servers) then validates the email signature by decoding and comparing the public and private keys. If the values are the same, it won't be considered spam.
To help tell MBPs to know what to do if DKIM and SPF fail, senders can implement DMARC.
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that uses SPF and DKIM to decide the authenticity of an email.
DMARC is very effective because it validates the sender of an email using both DKIM and SPF records. Furthermore, it assists mail systems in deciding what to do with messages sent from your domain that fails SPF or DKIM checks.
As mentioned, DMARC allows the domain owner to specify how MBPs should handle unauthenticated messages. Some pre-defined policies accomplish this.
If you want to use a DMARC record, you must first configure the SPF and DKIM protocols. Then, after a DMRAC test, you can basically cover up the followings.
If the validation fails, the necessary action is taken based on the policy defined in the DMARC record, and the generated report is sent to the respective email address.
Following the DMARC protocol is always recommended because it shows ISPs that you are an actual sender who is willing to take precautions to protect your identity and reputation. Not all ISPs offer support for all types of email validation. Here is a list of ISPs that support SPF, DKIM, and DMARC.

In this article, I introduced SPF, DKIM, and DMARC with their usage and compared them to each other. Understanding these 3 techniques will surely help you to get the most out of your email deliveries while protecting them against attacks.
FAQ
Keep exploring
One API, every channel
Courier gives you one API for email, SMS, push, and chat, with templates, routing, retries, and delivery logs built in.
Last updated Jul 10, 2026. Code samples are illustrative; provider APIs and pricing change over time, so check each provider’s docs before relying on them.
© 2026 Courier. All rights reserved.