SPF and DKIM are two pillars of email authentication that fight spoofing in different ways. SPF (Sender Policy Framework) is a DNS record listing which mail servers are allowed to send for your domain. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to each message proving it wasn't altered and really came from your domain.
Neither is sufficient alone. SPF checks the sending server; DKIM checks the message itself. Together they give receiving servers two independent ways to trust your mail — and they're the foundation DMARC builds on.
At a glance
Aspect
SPF
DKIM
Verifies
Authorized sending servers
Message integrity and origin
Mechanism
DNS TXT record of allowed IPs
Cryptographic signature + public key
Survives forwarding
Often breaks
Usually survives
What it checks
The envelope sender path
The message content and header
Setup
One DNS TXT record
Key pair + DNS record + signing
When to use SPF
You want to declare which servers may send for your domain.
You're setting up basic sender authentication quickly.
You need the first layer receivers check.
When to use DKIM
You want cryptographic proof a message wasn't tampered with.
You need authentication that survives forwarding.
You're hardening your domain against spoofing.
Verdict
This isn't an either/or — deploy both, then add DMARC to tie them together. SPF alone breaks on forwarding and doesn't protect message content; DKIM alone doesn't restrict sending servers. With both in place and aligned, DMARC can tell receivers what to do when authentication fails. Use a DNS lookup tool to confirm each record is published correctly.