SPF specifies which mail servers are authorized to send email on behalf of a domain. Receiving servers check the sending server's IP address against the domain's SPF record to detect unauthorized senders.
DKIM adds a cryptographic signature to every outgoing email. The recipient can verify this signature using the public key published in DNS, confirming the message was not altered in transit and truly originates from the stated domain.
DMARC ties SPF and DKIM together and tells receiving servers what to do with emails that fail both checks — accept, quarantine (spam folder), or reject them outright. It also enables reporting so domain owners can monitor abuse.
