DKIM vs DMARC: What's the Difference?
Understand the difference between DKIM and DMARC, how they work together, and why you need both for email authentication.
DKIM and DMARC are both email authentication standards, but they do different things. DKIM verifies that an email hasn't been tampered with in transit. DMARC tells receivers what to do when authentication fails. You need both for proper email security.
Quick Comparison
| DKIM | DMARC | |
|---|---|---|
| **What it does** | Signs emails with a cryptographic key | Sets policy for authentication failures |
| **DNS record type** | TXT (at `selector._domainkey.domain`) | TXT (at `_dmarc.domain`) |
| **Protects against** | Message tampering | Domain spoofing |
| **Works alone?** | Yes, but limited protection | No — requires SPF and/or DKIM |
| **Sends reports?** | No | Yes (aggregate and forensic) |
| **Receiver action** | Verify signature, factor into spam scoring | Quarantine, reject, or allow based on policy |
How DKIM Works
DKIM (DomainKeys Identified Mail) adds a digital signature to every outgoing email. The receiving server checks this signature against a public key published in your DNS.
The process:
- Your mail server signs outgoing email with a private key
- The signature is added as a
DKIM-Signatureheader - The receiving server looks up your public key via DNS
- It verifies the signature matches the email content
- If the signature is valid, DKIM passes
What DKIM proves:
- The email was authorized by the signing domain
- The email hasn't been modified since it was signed
- The headers and body are intact
What DKIM doesn't do:
- It doesn't tell receivers what to do if DKIM fails
- It doesn't prevent spoofing of the visible From address
- It doesn't generate reports about authentication results
Check your DKIM setup with DKIM Test.
How DMARC Works
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on top of SPF and DKIM. It connects authentication results to the domain in the visible From address and tells receivers how to handle failures.
The process:
- The receiving server checks SPF and DKIM
- DMARC checks if either result aligns with the From domain
- If neither aligns, the email fails DMARC
- The receiver applies the policy you've set (none, quarantine, or reject)
- The receiver sends you a report about the results
What DMARC proves:
- The From address domain is authorized (via alignment)
- You have a policy for handling spoofed email
- You're monitoring your domain's email activity
What DMARC requires:
- At least one of SPF or DKIM must pass and align with the From domain
- A published DMARC record with a policy
The Alignment Gap
This is the key reason DKIM alone isn't enough.
DKIM can sign an email with any domain. An attacker could:
- Set up DKIM for
attacker.com - Send an email with
From: ceo@yourcompany.com - Sign it with their own DKIM key for
attacker.com - DKIM passes (the signature is valid for
attacker.com)
The recipient sees it's "from" your CEO, and DKIM passed. But the DKIM domain (attacker.com) doesn't match the From domain (yourcompany.com).
DMARC catches this because it checks alignment — the DKIM signing domain must match (or be a subdomain of) the From domain. Without alignment, the email fails DMARC regardless of whether DKIM technically passed.
Why You Need Both
DKIM without DMARC
- Emails are signed and tamper-proof
- No policy for failures — receivers decide on their own
- No reports — you don't know who's sending as your domain
- Spoofing still possible (no alignment check)
DMARC without DKIM
- Policy exists but relies entirely on SPF
- SPF breaks when email is forwarded (the forwarding server's IP isn't in your SPF record)
- One authentication method is a single point of failure
- Less robust protection overall
Both together
- DKIM provides a tamper-proof signature
- DMARC enforces alignment and sets policy
- If SPF breaks (forwarding), DKIM can still pass and align
- You get reports showing exactly what's happening
- Full protection against domain spoofing
The trio: SPF + DKIM + DMARC
The complete email authentication stack is SPF, DKIM, and DMARC working together. SPF validates the sending server, DKIM validates the message, and DMARC ties it all together with policy and reporting.
Setting Up Both
DKIM Setup
- Generate a key pair through your email provider (Google Workspace, Microsoft 365, etc.)
- Add the public key as a TXT record at
selector._domainkey.yourdomain.com - Enable signing in your email provider's settings
- Verify with DKIM Test
DMARC Setup
- Start with a monitoring policy:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
- Add this as a TXT record at
_dmarc.yourdomain.com - Monitor reports for 2-4 weeks
- Gradually move to quarantine, then reject
Use DMARC Creator to generate your record.
Common Misconceptions
"DKIM replaces DMARC"
No. DKIM authenticates the message; DMARC enforces policy. They serve different purposes.
"DMARC replaces DKIM"
No. DMARC depends on DKIM (and/or SPF) for the actual authentication check. DMARC is a policy layer on top.
"I only need one"
You need both for proper protection. DKIM without DMARC leaves you without policy enforcement or reporting. DMARC without DKIM makes your authentication fragile (SPF alone breaks easily with forwarding).
"DKIM alignment is automatic"
Not always. Your email provider must sign with your domain, not a subdomain or their own domain. Check your DKIM setup to confirm alignment.
Check Your Setup
Verify both DKIM and DMARC are working:
- Check DKIM: DKIM Test
- Check SPF: SPF Record Check
- Check DMARC:
Monitor Your DMARC Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DMARC issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring