SPF vs DKIM

SPF and DKIM are two pillars of email authentication that fight spoofing in different ways. SPF (Sender Policy Framework) is a DNS record listing which mail servers are allowed to send for your domain. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to each message proving it wasn't altered and really came from your domain.

Neither is sufficient alone. SPF checks the sending server; DKIM checks the message itself. Together they give receiving servers two independent ways to trust your mail — and they're the foundation DMARC builds on.

At a glance

AspectSPFDKIM
VerifiesAuthorized sending serversMessage integrity and origin
MechanismDNS TXT record of allowed IPsCryptographic signature + public key
Survives forwardingOften breaksUsually survives
What it checksThe envelope sender pathThe message content and header
SetupOne DNS TXT recordKey pair + DNS record + signing

When to use SPF

  • You want to declare which servers may send for your domain.
  • You're setting up basic sender authentication quickly.
  • You need the first layer receivers check.

When to use DKIM

  • You want cryptographic proof a message wasn't tampered with.
  • You need authentication that survives forwarding.
  • You're hardening your domain against spoofing.

Verdict

This isn't an either/or — deploy both, then add DMARC to tie them together. SPF alone breaks on forwarding and doesn't protect message content; DKIM alone doesn't restrict sending servers. With both in place and aligned, DMARC can tell receivers what to do when authentication fails. Use a DNS lookup tool to confirm each record is published correctly.

Frequently asked questions

Related free tools