DKIM vs. SPF: Do I Need Them Both?

Is it Either/Or — or Both?

Is it necessary to use both SPF and DKIM? While not mandatory, it’s highly recommended to use both SPF and DKIM to protect your email domains from spoofing attacks and fraud while also increasing your email deliverability.

How Domain Spoofing Works

In order to spoof an email, all a fraudster has to do is set up or compromise an SMTP server. From there, they can manipulate the ‘From’, ‘Reply-To’, and ‘Return-Path’ email addresses to make their phishing emails appear to be legitimate messages from the individual or brand they’re impersonating.

How SPF Works

At its most essential, SPF allows email senders to specify which IP addresses are allowed to send email from a given domain. For example, a domain owner can stipulate that only IP is allowed to send email from by publishing that policy as a TXT record in the specified domain’s DNS. You can see which servers are authorized to send emails for your domains by using a tool to look up SPF records.

How DKIM Works

DKIM uses asymmetric encryption to give email senders a way to digitally sign all the outgoing email from a given domain, and publish the public key(s) necessary to validate those digital signatures. This enables receiving email providers to confirm that no changes have been made to the email in transit. Learn more with our DKIM setup guide. Once you do, use a tool to look up DKIM Records to make sure receiving email servers can locate your public key.

Which One is Better?

Ultimately, this isn’t an either/or proposition — it’s a “better together” scenario. That’s because SPF and DKIM address two integral, but separate, issues central to email security.

Why DMARC Makes All the Difference

First introduced in 2012, Domain-based Message Authentication, Reporting & Conformance (DMARC) is a standard email authentication protocol that adds a policy layer to SPF and DKIM.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.