In my last post, I explained how to configure DKIM. Today, I will cover the difference between DKIM and SPF. You might be wondering why you need DKIM if you already have SPF implemented, considering that post methods are used to authenticate the sender of an email. Make sure you read my previous posts on DKIM and SPF first.
Latest posts by Surender Kumar (see all)

Since email attacks are becoming more sophisticated every day, the techniques to counter such attacks need to be more robust, too. As you learned in my previous post, the SPF record lists the servers that are authorized to send emails from your domain. DKIM, on the other hand, makes sure that the email message is signed using a digital signature that can be verified by the receiving mail server.

There are two types of From addresses in an email message. The first is mail from (a.k.a. return-path or envelope from), and the second is from address, which is displayed in the email client. The SPF record only validates the return-path address and doesn't care about the from address, which makes it easy for attackers to forge.

What's more, SPF is more fragile than DKIM. Consider a scenario in which an original email message (which was verified by the SPF check) is forwarded to someone else. Since the forwarder is now the new sender of the email message, the return-path will change and the SPF check is performed against the new sending domain, which causes the SPF check to fail. This problem doesn't exist for a DKIM-signed message since the signature is embedded in the message header. So, even if the original email message is forwarded, the DKIM signature is still preserved in the header.

Let's look at an example to understand how SPF and DKIM make a difference. Suppose you send an email to a recipient with a address. The following screenshot shows what the email will look like when it is sent from a domain with a correctly configured SPF record.

Understanding the mailed by field in Gmail

Understanding the mailed by field in Gmail

The mailed-by field in the screenshot indicates that the SPF check was passed, and the email message was indeed sent by an authorized server. Now, let's see what an email message looks like when it is sent from a domain having both SPF and DKIM in place.

Subscribe to 4sysops newsletter!

Understanding the mailed by and signed by fields in Gmail

Understanding the mailed by and signed by fields in Gmail

In this screenshot, you can see the mailed-by and signed-by fields. The latter denotes that the email message was signed using DKIM, and it was verified by Gmail servers that the message is authentic and wasn't changed in transit.

  1. I did encounter the case of 16 lookups limit for spf. In those cases ended up using micro spf to add more IPs.

    • Author

      The limit is 10 DNS lookups in SPF. There is no limit of adding IP addresses since they don’t trigger DNS lookup. Lookup is only triggered when you use mechanisms like a, mx, include etc. as in

Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account