How do SPF, DKIM, and DMARC work together

DMARC is an anti-spoofing Framework that relies on two other email authentication mechanisms, SPF and DKIM. DMARC compliance requires at least one of these mechanisms to pass.

Deployment of DMARC, SPF & DKIM requirements:

  • Access to your public DNS
  • Email gateway outbound DKIM signing option
  • Email gateway admin panel access.

The three frameworks are published on your DNS, while DKIM requires additional steps on the email gateway.

When an email is sent out and received by the recipient's mail server, it performs several queries on your DNS. This includes the following:

  • SPF authentication: is this email originating from an IP address which has been authorized by the email sender
  • DKIM authentication is this email digitally signed by the email sender.
  • DMARC alignment and policy: DMARC alignment process takes place to verify the SPF & DKIM authentication further matching the from domain to the return path, and based on these results, the DMARC policy is applied.
    • If the email failed both SPF & DKIM authentication, then the DMARC policy is applied on the email (none, quarantine or reject)
    • If any mechanism passes (SPF and/or DKIM), then the email lands in the inbox folder.

alt text

After the recipient’s mail server has performed the queries, completed the authentication checks, and applied the relevant action to the email (whether to accept, mark as spam or reject the email), it then sends an aggregate report back to an address assigned by the email sender.

The DMARC record (on your public DNS) specifies which email your recipients should send the report to. This DMARC aggregate report includes:

  • The number of emails the recipient got from your domain.
  • The IP addresses from which your emails originated.
  • The result of the SPF & DKIM authentication
  • The action they applied on your emails.