DKIM or SPF — which one actually protects your email domain? If you’ve come across these terms and aren’t sure how they fit together, you’re not alone. In this blog, we break down what DKIM and SPF do, when to use each, and how combining them can strengthen your defenses against spoofing and email fraud.
Is it DKIM vs. SPF?
Should the battle really be DKIM vs. SPF? While not mandatory, it’s highly recommended to use both SPF and DKIM to protect your email domains from spoofing attacks and fraud while also increasing your email deliverability.
At a time when millions of corporate employees remain working from home post-pandemic, email continues to be one of the most important communication tools for business. Unfortunately, it also happens to be one of the most profitable vectors for email crime networks. According to the 2023 FBI IC3 report, over $50 billion in losses across the globe has been attributed to BEC fraud over a decade span from 2013-2022.
Email blacklisting can "cut off your access to new leads generated through surveys, activity on your website, and the lists of qualified leads offered by marketing service providers. Perhaps even worse, [it] can deny you access to loyal, long-time customers who value and crave the content you offer. Should this happen, you could lose your most valued customers. Depending on the platform that blacklists you, it could cost you a significant percentage of your regular revenue."
How Does Domain Spoofing Work?
In order to spoof an email, all a fraudster has to do is set up or compromise an SMTP server. From there, they can manipulate the ‘From’, ‘Reply-To’, and ‘Return-Path’ email addresses to make their phishing emails appear to be legitimate messages from the individual or brand they're impersonating.
This identity deception is made possible by the fact that SMTP — the Simple Message Transfer protocol used by email systems to send, receive, or relay outgoing emails — lacks a mechanism for authenticating email addresses.
Early email authentication standards such as S/MIME failed to gain enough traction to make much of a dent against this threat. But beginning in the mid-2000s, a pair of emerging email security standards started to succeed where other approaches failed — SPF and DKIM.
What Are DKIM and SPF?
What exactly are SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail)? Both are essential email authentication standards that help prevent attackers from spoofing your domain to target customers, partners, and the public. To see why they matter, let’s break down how each one works, why using them together is more effective than relying on just one, and how to implement them correctly.
How Does DKIM Work?
DKIM uses asymmetric encryption to give email senders a way to digitally sign all the outgoing email from a given domain and publish the public key(s) necessary to validate those digital signatures. This enables receiving email providers to confirm that no changes have been made to the email in transit. Learn more with our DKIM guide for setting it up. Once you do, use a tool to look up DKIM email records to ensure receiving email servers can locate your public key.
When an SMTP server receives an email with such a signature in the header, the server asks the sending domain’s DNS for the public key TXT record. Using the public key, the receiving server is able to verify whether the email was actually sent from that domain.
If the check fails, or if the signature doesn't exist, the receiving email service provider might mark the email as spam or block the sender's IP address altogether. This makes it harder for fraudsters to make emails look like they came from your domain address.
How Does SPF Work?
At its most essential, SPF allows email senders to specify which IP addresses are allowed to send email from a given domain. For example, a domain owner can stipulate that only IP 5.6.7.8.9 is allowed to send email from @YourCompanyURLHere.com by publishing that policy as a TXT record in the specified domain's DNS. You can see which servers are authorized to send emails for your domains by using a tool to look up SPF email records.
During an SPF check, receiving email servers query the DNS records associated with your sending domain to verify that the IP address used to send the email is listed in the SPF email record. If it isn't, the email will fail authentication — helping to weed out malicious emails attempting to exploit the associated domain.
DKIM vs. SPF: Which Should You Use — or Do You Need Both?
Ultimately, this isn't an either/or or one vs. the other proposition — it's a "better together" scenario. That's because SPF and DKIM address two integral, but discrete, issues central to email security. SPF helps confirm whether an email purporting to come from your company was in fact sent from one of your established IP addresses, and DKIM confirms that the email hasn't been faked or altered on its way to its intended recipient. The truth is they are more like frenemies than enemies.
But it's also important to note that whether they're used on their own or together, DKIM and SPF do not provide a complete solution for email authentication. For that, we'll need to add an additional acronym to the conversation: DMARC.
How Does DMARC Work with Both Protocols?
First introduced in 2012, DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on SPF and DKIM by adding a policy and reporting layer.
With DMARC, organizations can publish policies that tell receiving mail servers how to handle messages that fail authentication checks. It ties SPF and DKIM to domain alignment, ensuring that the sender’s identity matches what users see in their inbox. When a message fails these checks, DMARC instructs the receiving server on what to do — whether to take no action (p=none), send the message to spam (p=quarantine), or reject it outright (p=reject).
Publishing a DMARC record in DNS is relatively straightforward. However, scaling DMARC across multiple domains — especially in large organizations — can quickly become complex. Managing SPF, DKIM, and DMARC together often requires careful coordination, visibility into email traffic, and ongoing monitoring.
That’s where dedicated email security and DMARC management solutions can help. By automating authentication, reporting, and policy enforcement, these tools make it easier to move toward stronger protections. Organizations that fully implement DMARC enforcement often see a significant reduction in domain spoofing and phishing attempts.
For example, one large enterprise organization strengthened its policy to p=quarantine, directing failed messages to spam rather than the inbox. This helped mitigate suspicious traffic originating from untrusted sources and low-reputation IP addresses. With further enforcement (p=reject), such messages can be blocked entirely before delivery.
Additionally, newer standards like BIMI (Brand Indicators for Message Identification) build on DMARC enforcement. BIMI allows organizations to display verified brand logos alongside authenticated emails in supported inboxes — enhancing brand visibility while giving recipients an added signal of trust.
Generate Your DMARC Record or Look Up SPF & DKIM Records
Fortra makes it easy to check your DKIM and SPF records using our free lookup tools. You can also review your DMARC policy or generate a new record in just a few steps.
