Learn

What SPF, DKIM, and DMARC results mean

When an email arrives, your mail provider runs three checks on it and writes the verdicts into the message's headers. Understanding the trio takes three sentences each, and it's worth the three sentences, because these results are the closest thing email has to a signature panel.

The three checks

SPF asks: did this message come from a server the sending domain has authorized? The domain publishes its list of legitimate senders; the receiving server checks the actual origin against it. A pass means the server was authorized; it says nothing about the human or the content. DKIM asks: does the message carry a valid cryptographic signature from the sending domain, and has the signed content survived intact? A DKIM pass is the strongest of the three, the domain's mail system signed this message, and what it signed hasn't changed. DMARC sits on top, asking whether SPF or DKIM passed for the same domain the user actually sees in the From line, and what the domain wants done with failures. DMARC is what connects the cryptography to the thing humans read.

How to read the verdicts

All three passing, aligned with the visible From domain: the message really came through that domain's mail system. That's strong, with one crucial limit, it authenticates the domain, not the intent. A compromised account or a lookalike domain with its own valid setup passes everything; "scammer-corp-invoices.com" can have flawless DMARC. Failures need context: forwarding routinely breaks SPF, mailing lists historically broke DKIM, so a single fail on a newsletter is noise. The pattern that always deserves attention is failure or misalignment on a message that asks for money, credentials, or urgency, especially DMARC failure on an exact match of a domain you do business with.

One honesty note that applies to any tool reading these results, including ours: the verdicts live in the Authentication-Results header, written by the receiving server. Reading them reports what that server concluded at delivery, an observation of the record, which is exactly what you want when assessing a message you already received.

FAQ

Can a scam email pass all three checks?

Easily, from its own domain. Authentication proves the message came from the domain it claims; it cannot prove the domain is honest or the account uncompromised. The checks eliminate impersonation of the exact domain, which is their whole, valuable job.

What does "alignment" mean?

That the domain which passed SPF or DKIM matches the domain in the visible From line. Without alignment, a message can technically pass checks for a domain the reader never sees.

Should a failed check make me delete the email?

It should make you verify through another channel before acting, particularly for payment or credential requests. Plenty of failures are plumbing; none of the plumbing explanations apply to your bank asking you to wire money.