Overview: Two Pillars of Email Authentication
If you've started learning about email authentication, you've likely encountered both DKIM and DMARC. While they work together, they serve fundamentally different purposes. Understanding the distinction is key to building a robust email security posture for your domain.
What Is DKIM?
DomainKeys Identified Mail (DKIM) is a cryptographic email authentication method. When you send an email, DKIM adds a digital signature to the message headers. The receiving server then looks up your domain's public key (published as a DNS TXT record) to verify the signature is valid.
This proves two things:
- The email actually came from your domain (or was authorized by it)
- The message content was not altered in transit
A DKIM signature looks like this in email headers:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=mail;
h=from:to:subject:date; bh=...; b=...What Is DMARC?
Domain-based Message Authentication, Reporting & Conformance (DMARC) builds on top of SPF and DKIM. It tells receiving mail servers what to do when an email fails authentication checks, and it provides reporting back to the domain owner.
A basic DMARC record looks like this:
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100Key DMARC policy options (p=):
- none — Monitor only; take no action (good for starting out)
- quarantine — Send failing emails to spam/junk folders
- reject — Block failing emails entirely (strongest protection)
DKIM vs DMARC: Side-by-Side Comparison
| Feature | DKIM | DMARC |
|---|---|---|
| Primary purpose | Verify message integrity & origin | Enforce policy & receive reports |
| How it works | Cryptographic signature in headers | Policy published in DNS |
| DNS record type | TXT record at selector._domainkey | TXT record at _dmarc subdomain |
| Survives forwarding? | Yes (signature travels with email) | Depends on DKIM/SPF alignment |
| Provides reports? | No | Yes (aggregate & forensic) |
| Requires SPF? | No | Recommended (uses SPF or DKIM) |
The Concept of Alignment
DMARC introduces a critical concept: alignment. For DMARC to pass, either the SPF-authenticated domain or the DKIM signing domain must align (match) with the domain in the email's From: header. This prevents attackers from passing SPF/DKIM checks using a different domain while spoofing your brand in the visible From address.
Do You Need Both?
The short answer is yes. Here's why:
- DKIM alone can verify signatures but doesn't tell receiving servers what to do with failures, and it doesn't produce actionable reports.
- DMARC alone is ineffective — it requires at least SPF or DKIM to function. Without them, there's nothing to evaluate.
- Together, DKIM provides the cryptographic proof and resilience (especially through email forwarding), while DMARC enforces policy and gives you visibility into who is sending email as your domain.
Recommended Implementation Order
- Set up SPF to list authorized sending sources
- Configure DKIM on all sending services
- Publish a DMARC record with
p=nonefirst to monitor - Analyze DMARC reports for 2–4 weeks
- Gradually move to
p=quarantine, thenp=reject
Summary
DKIM and DMARC are complementary, not competing, standards. DKIM signs your messages for integrity and authenticity. DMARC gives you control over what happens when authentication fails — and keeps you informed. Together with SPF, they form the complete email authentication trifecta that protects your domain and your recipients.