| | SPF | DKIM |
|-----------|-----------------------------------------|---------------------------------------|
| What | IPs/hosts allowed to send for your domain | Cryptographic signature on the email |
| Lives | DNS TXT at caduh.com | Header DKIM-Signature + DNS TXT |
| Align | Envelope-from (return-path) | d= domain in signature |
| Gotcha| Breaks on forwarding | Keys need rotation + canonicalization |
Use both. SPF covers infrastructure; DKIM proves content integrity.