DMARC: Deciding What Happens When Email Authentication Fails
DMARC defines what happens when email authentication fails, turning SPF and DKIM results into clear policy decisions that protect domains from spoofing and abuse.
DKIM: Proving a Message Wasn’t Changed — Not Who Sent It
DKIM (DomainKeys Identified Mail) doesn’t verify who sent an email. It verifies that the message hasn’t been altered since it was signed, and that a domain takes responsibility for its contents. Understanding DKIM means understanding what it proves — and what it deliberately ignores.
SPF: What It Really Proves — and Why It Fails So Often
SPF doesn’t verify who sent an email — it only confirms that a server was allowed to deliver it. That distinction explains why SPF passes during phishing, fails during forwarding, and can’t be treated as a trust signal on its own.
SPF, DKIM, and DMARC: How Email Authentication Actually Works
Email authentication relies on SPF, DKIM, and DMARC — a set of interlocking systems — but most people misunderstand what they really do, and what they don’t protect.
