All You Need to Know About SPF, DKIM and DMARC

#readwise # All You Need to Know About SPF, DKIM and DMARC ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/static/images/article3.5c705a01b476.png) ## Metadata - Author: [[knowledge.ondmarc.redsift.com]] - Full Title: All You Need to Know About SPF, DKIM and DMARC - URL: https://knowledge.ondmarc.redsift.com/en/articles/1739840-all-you-need-to-know-about-spf-dkim-and-dmarc ## Highlights **==SPF focuses on the “domain” found in an email header== that has many names, ==Return-Path==, MAIL-FROM, Bounce address, Envelope from.** In this article we will refer to it as the Return-Path. If this header is missing, SPF falls back and looks at the “HELO/EHLO” hostname and checks for an SPF record there. **Don’t forget — the Return-Path header is a technical header that is ==not visible to the end user==.** Unless they know how to display the headers of an email in their mail client they won't see it. --- **==DKIM focuses on the “DKIM-Signature” header.== Don’t forget — this header again is ==not visible to the end user== unless they know how to display the headers of the email they have received.** --- **==DMARC focuses on the domain found in the “From or Header from” header which is visible to the end user.==** In this article we will refer to it as “From”. --- **DMARC — the receiving server will check if either SPF or DKIM PASSED, then it will check if the Return-Path domain used by SPF and/or the “d=” domain used by DKIM align with “From” domain, and finally it will extract the DMARC policy published by the domain found in the “From” address and comply with the policy.** - The overall logic is: - If SPF PASSED and ALIGNED with the “From” domain = DMARC PASS - If DKIM PASSED and ALIGNED with the “From” domain = DMARC PASS - If both SPF and DKIM FAILED = DMARC FAIL - **==DMARC not only requires that SPF or DKIM PASS, but it also requires the domains used by either one of those two protocols to ALIGN with the domain found in the “From” address.== Only then will DMARC PASS.** --- **==Strict alignment means that the Return-Path domain or the signing domain “d=” must be an exact== match with the domain in the “From” address. ==Relaxed alignment== means that the Return-Path domain or the signing domain “d=” ==can be a subdomain of the “From” address== and vice versa.** ---