6 Min Read
Email images on a blue background

It’s not wise to compare DMARC vs. DKIM. They’re both authentication protocols used to validate emails, prevent spoofing, and safeguard your email domain.

But that’s where the similarities end. While both protocols use public key cryptography, each uses a different method to validate your email flow. These security mechanisms aren’t meant to upstage each other. 

Have you read our blog post:t DKIM vs. SPF vs. DMARC? If not, you may be wondering how these three email authentication standards work together.

In this post, we dive into DKIM vs. DMARC and why they’re both necessary to protect your domain.

What is DKIM?

DKIM stands for Domain Key Identified Mail. This authentication method verifies the origin and validity of an email using public cryptography. 

With DKIM, every email is signed with a digital DKIM signature created using a private cryptographic key to reflect its authenticity.  

The receiving server checks if the matching public key is listed in the sending domain’s DKIM record. If the key is valid, the receiving server authenticates the message as legitimate and unaltered before delivering it to the intended recipient. 

When you set up DKIM and create a DKIM record, you’re adding a layer of benefits to protect your domain, such as the ones listed below: 

  • Increase the trust and reputation of your brand. 
  • Help your recipients identify and trust your emails. This, in turn, can increase your click-through rates, conversion rates, and sales.
  • Protect your domain against any malicious senders trying to use your domain in spoofed emails.
  • Help to receive servers mark any fraudulent emails as “bad” and possibly send complaints to your ISPs.
  • Fight spam since you’re a verified sender on all your emails (not just a third party claiming to be you). Spam filters are more likely to block spam emails posing as your domain.

Can DKIM Function Without DMARC?

The short answer is yes. With DKIM, your email server applies a digital signature to all outgoing messages, proving that your emails originate from you. The receiving server verifies the digital signature using the matching public key in your DKIM record.

DKIM allows you to sign every email you send digitally. This identifier won’t be present on fraudulent emails. If a malicious sender spoofs your domain in a fake email, the receiving server will reject it (since it won’t have a valid DKIM signature).

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It’s an authentication method that leverages SPF and DKIM to verify your messages and send reports detailing how your messages fare before the spam filters used by most ESPs. 

When discussing DMARC vs. DKIM vs. SPF, you can’t put one over the other. Proper DMARC compliance can’t be achieved without DKIM or SPF.

DKIM can work without SPF (and vice versa), but DMARC without DKIM or SPF isn’t recommended. Essentially, DMARC determines whether emails should be delivered to their intended recipients and how they should be handled 

A DMARC record contains detailed instructions telling the receiving servers what to do with emails sent on behalf of your domain should they pass or fail SPF and DKIM checks. 

DMARC authentication is based on three policies that need to be gradually configured as you increase your email flow. These policies are:

  • p=none: States no action is to be taken by the receiver; the email is delivered as usual. It’s the basic setup of DMARC, and it can send many messages right through the inbox without verification.
  • p=quarantine: Blocks messages based on how SPF and DKIM are configured. Any messages failing authentication here are sent to spam folders. 
  • p=reject: Designed to block messages that failDMARC, SPF, and DKIM authentication. 

When an email passes SPF authentication, the sender is authorized to send emails on behalf of the domain according to the SPF record. 

When an email passes DKIM authentication, it means the email’s DKIM signature matches the public key in the domain’s DKIM record.

When an email passes DMARC authentication, it means SPF and/or DKIM checks passed, and SPF and/or DKIM alignment passed. 

Alignment means the return-path address (for SPF) and/or the DKIM address (for DKIM) match the From: address in an email.

As such, only emails that pass SPF and/or DKIM checks and DMARC verification make it to the recipient’s inbox.

Can DMARC Function Without DKIM?

Technically, yes. A barebones DMARC configuration can function without DKIM, though it’s not recommended. DKIM keeps DMARC-authenticated false negatives to a minimum while providing an extra layer of security.

What’s the Difference Between DKIM and DMARC?

DKIM and DMARC do very different things that complement each other in the closed echo chamber of a single domain. While it’s true that both DKIM and DMARC rely on the use of cryptographic keys to authenticate legitimate senders, that’s where all similarities stop. Here are some of the key differences between DKIM vs. DMARC:

  • DMARC generates a report each time a message fails authentication.
  • DKIM uses digital signatures to verify legitimate senders. 
  • DKIM is solely an authentication method, while DMARC generates aggregate reports to help fine tune your email strategy.
  • DKIM allows receiving servers to verify the digital signature on all your emails. 
  • With DMARC, you see when a receiving server verifies your domain and marks the message as legitimate on each report.

What Does SPF Add to Email Authentication?

SPF stands for Sender Policy Framework, an email authentication method. SPF works with DKIM and DMARC, adding a layer of security to your email authentication. With SPF, you can indicate all sending sources (IP addresses or third-party vendors) authorized to send messages on behalf of your domain. When an email is sent, the receiving server uses the SPF record to match it against the sending domain.

When bad actors exploit your domain, the receiving server fails SPF as the sender isn’t authorized. As such, email is either sent to spam or rejected entirely.

By using SPF and DKIM together, you can help protect your domain from malicious senders. 

SPF blocks fraudulent emails instantly and keeps your domain reputable. Of course, this system works better with a fully configured DMARC policy. By using SPF and DKIM together under DMARC, you can prevent malicious senders from using your domain.

Final Thoughts

Email authentication protocols have made significant strides in the fight against spam and malicious senders. But to protect your domain and recipients, you’ll need to implement SPF vs. DKIM vs. DMARC

If you’re starting with your email domain’s security framework, keep in mind that all three protocols are essential. 

Ready to authenticate and secure your domain in no time? At EasyDMARC, we’re happy to help!

Various authors from EasyDMARC teams have contributed to our blog during company's lifetime. This author brings everyone together.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us