Rohan Mathew

Both DMARC and DKIM are email authentication protocols helping organizations combat impersonation attacks and email compromise.  Both DMARC and DKIM are important tools for protecting your brand, but they do not replace each other. So it’s important that you understand what each one does before deciding on which one works best for your needs.

First, let’s break down the acronyms:

DMARC is an acronym for Domain-based Message Authentication Reporting and Conformance. It is a protocol that uses SPF and/or DKIM records to authenticate emails. It also allows you to monitor and control what happens to unauthenticated emails sent from your domain.

DKIM is an acronym for DomainKeys Identified Mail. It is a method of verifying the authenticity of emails using cryptographic authentication.

DMARC definition & how it works 

DMARC is based on SPF (Sender Policy Framework) and DKIM. It verifies if the message aligns with these standards. DMARC allows for the rejection of fraudulent messages and it also allows for reports to be emailed to you from the recipient’s mail server. It is a protocol that allows an organization to say “if you send mail from my domain, I will authenticate it.” It also creates a feedback loop between the sender and receiver that lets both parties know if the other party is following the specified policy.

To begin with, the basic function of DMARC is to determine whether or not an email should be delivered to its intended recipient. In order to do this, it determines what kind of DNS records are stored for a particular domain. The DMARC record itself contains instructions as to where the email should be sent if it fails either SPF or DKIM checks.

It also provides instructions as to how much of the message should be delivered if it fails authentication. There are three possible options here: 

  • ‘none’ means that all failed messages should be treated as normal
  • ‘quarantine’ means that some portion of the message should be delivered, but only with a warning
  • ‘reject’ means that no part of the message should be delivered at all

DKIM definition & how it works 

DKIM is a cryptographic method of verifying that an email is sent from an authorized server. This is done by cryptographically signing each email with a private key, which then allows it to be verified by the recipient using a public key. DKIM performs a different role in email authentication as opposed to DMARC. DKIM is a form of email authentication that allows you to verify if a message has been sent by someone using your domain name. The verification is done by adding a digital signature to each message sent from your server. This signature is added by adding a header to the email that contains a few key pieces of information:

  • The domain name used to send the email
  • A DKIM selector is used to help locate the DKIM public keys in the DNS in case there are multiple DKIM records published
  • The public key will be used by the recipient’s mail server to decrypt part of the message and compare it against another part of the message in order to verify that it was sent from an authorized server
  • A hash value is generated from parts of the message so that those parts can be verified by anyone who has authorized access 

DMARC Vs DKIM: Which to use and when?

DMARC and DKIM are both email authentication techniques that help improve the security and deliverability of your emails. While they’re often confused, and many companies have a hard time understanding the differences between these two protocols, DMARC and DKIM are actually quite distinct from each other as explained above.

It is important to note that neither of the two protocols is interdependent, and can be configured individually. Let’s find out how: 

Configuring DMARC paired with SPF

You can skip setting up DKIM for your domain and still configure DMARC by pairing it up with SPF. This is because for your emails to pass DMARC, either SPF or DKIM identifier alignment is required. To implement DMARC without DKIM: 

  • Make a list of all your authorized sending sources 
  • Create an SPF record using our free SPF record generator and include all your sending sources to authorize them
  • Paste the record on your DNS 
  • Create a DMARC TXT record for your domain using our free DMARC record generator 
  • Copy and paste this record on your DNS to activate DMARC

Configuring DKIM on its own

If you want to skip DMARC configuration, you can choose to implement DKIM on its own. To do so head over to the PowerDMARC DKIM record generator tool and enter the following information: 

  • A unique DKIM selector key (it can be a 1024 or 2048 bits long alphanumeric value) 
  • Your domain name (without any prefixes, for example, if your website URL is, your domain name will be

Once you hit the generate record button our AI generates your DKIM TXT record along with instructions on how to publish it on your DNS to activate the protocol. 

DMARC, SPF, and DKIM: How they can work in unison for well-rounded email protection

We believe that having a multi-factor approach to email authentication can be a game-changer in terms of domain and information security. This is why experts in the industry recommend organizations implement DMARC, SPF as well DKIM for well-rounded email protection. 

Aligning your emails against both SPF and DKIM authentication standards while using DMARC for special instructions and reverse feedback can help you gain 100% compliance on your emails. It also helps build trust and create a solid foundation for your organization’s domain, and ensure deliverability. 

The PowerDMARC email authentication suite gives you an automated experience while configuring your protocols. Our DMARC services come paired with SPF and DKIM to take your email’s security to the next level. Sign up for our free DMARC today to try out the benefits yourself!