Move from explanation to action with the matching DomainCheck.co.uk tools for this topic.
Confirm the domain is resolving cleanly before troubleshooting email delivery.
Useful when auditing email-related domains across many records or assets.
Escalate when email setup touches DNS, registrar access, and live business mail.
SPF, DKIM, and DMARC are often discussed together, but they are not interchangeable. Each one answers a different question. SPF asks whether a server is allowed to send mail. DKIM asks whether the message was signed and preserved. DMARC asks what to do if the authentication story does not line up. This article exists separately because readers frequently search for the comparison before they know the individual terms. It gives them a single place to understand the relationship between the three standards, while the separate beginner guides can go deeper into each one without repeating the full comparison every time.
If you are trying to set up business email correctly, SPF, DKIM, and DMARC are the three DNS records you are most likely to hear about. They are related, but they do different jobs.
The simplest way to think about them is this:
That summary is useful, but the details matter because mail providers do not treat the three records as duplicates. A setup that only has SPF may still be weak. A setup with DKIM but no DMARC may still be spoofable. A DMARC policy without working SPF or DKIM may break legitimate mail.
SPF stands for Sender Policy Framework. It is a DNS record that lists the servers or services allowed to send email for your domain.
If a message comes from a server that is not on the SPF list, the receiving mail system can treat that as suspicious. SPF is useful because it makes it harder for someone to send mail from your domain using an unauthorised server.
SPF has limits, though. It checks the sending path rather than the content of the message. If email is forwarded, the SPF result can change. SPF also cannot tell the recipient whether the content was altered after it left the sender.
DKIM stands for DomainKeys Identified Mail. It signs the message using a private key and lets the recipient verify the signature with a public key in DNS.
The value of DKIM is that it covers the message itself, not just the sending server. If the content changes in a way that breaks the signature, the check fails. That gives the recipient another trust signal.
DKIM is especially helpful when an email passes through multiple systems on the way to the inbox. In some cases, SPF can fail through forwarding or relay systems, while DKIM still passes if the signed content is preserved.
DMARC sits on top of SPF and DKIM. It does two jobs:
That makes DMARC more than a technical check. It is also a policy statement. The domain owner is saying how strictly unauthorised mail should be handled.
DMARC is the record that lets a business move from “we have some authentication” to “we have an enforceable authentication policy.”
In a healthy setup, SPF and DKIM provide the evidence, and DMARC interprets that evidence.
For example, if your marketing platform sends email on your behalf, you might authorise it in SPF and sign its messages with DKIM. DMARC then checks whether either of those methods passed and whether the authenticated domain aligns with the From: domain the recipient sees.
If only one of SPF or DKIM passes, that may still be enough for DMARC, depending on alignment. If neither passes, DMARC can tell the recipient to quarantine or reject the message, depending on your policy.
That is why setting all three up properly matters. They are not three copies of the same thing. They are three layers in the same trust system.
| Standard | Main job | Lives in DNS? | Helps with spoofing? | Policy or evidence? |
|---|---|---|---|---|
| SPF | Lists allowed senders | Yes | Somewhat | Evidence |
| DKIM | Signs the message | Yes | Somewhat | Evidence |
| DMARC | Defines how to handle failures | Yes | Strongly, when enforced | Policy |
That table is intentionally simplified. Real-world delivery depends on the mailbox provider, message content, sender reputation, and many other signals. But as a starting point, it is accurate enough to help you reason about setup.
Start with SPF and DKIM. DMARC is harder to use well until those two are in place.
Add DMARC once the sending systems are mapped and the records are stable.
Check authentication, alignment, and DNS copies before assuming the inbox provider is the only issue.
Inventory every sender first so you do not break a hidden system when you tighten policy.
If you can only think about one at a time, start with SPF and DKIM. They are the building blocks. Without them, DMARC has very little to work with.
If you already have SPF and DKIM in place, DMARC is usually the next important step because it turns authentication into a policy. That is especially true for organisations that send customer communications from a branded domain.
If you are receiving email for a business domain, DMARC also helps protect your brand from being used by others. That can matter even if you do not send much mail yourself.
One common misunderstanding is that SPF, DKIM, and DMARC all do the same thing. They do not. That confusion often leads to partial setup and false confidence.
Another misunderstanding is that a pass result means the email is safe. It does not. Authentication can tell you that the message came through a permitted path and was signed correctly, but it cannot tell you whether the sender was malicious, whether the account was compromised, or whether the content is fraudulent.
Another problem is assuming providers enforce the rules identically. They do not. Different mailbox providers can treat borderline cases differently, especially when forwarding, aliases, or third-party senders are involved.
SPF and DKIM provide evidence. DMARC turns that evidence into a policy. If one layer is missing, the whole system is weaker.
For most businesses, the sensible order is:
That is a practical route because it reduces the chance of blocking good mail. It also gives you time to identify forgotten senders such as billing tools, marketing platforms, support systems, or website forms.
| Stage | What to check | Why it matters |
|---|---|---|
| Before changes | List every sender | Prevents hidden services from breaking |
| During setup | Confirm DNS records | Stops syntax and zone mistakes |
| After rollout | Review reports and deliverability | Shows whether policy is too strict or too loose |