I'm sorry for the vague title. I don't fully understand why SPF and DKIM should be used together.
First: SPF can pass where it should fail if the sender or DNS is "spoofed" and it can fail where it should pass if some advanced setup of proxies and forwarders are involved.
DKIM can pass where it should fail, either because of an error/weakness in the cryptography (we rule this out, hence the simplified point), or because the DNS query is spoofed.
Since the cryptography error is ruled out, the difference (as I see it) is that DKIM can be used in setups where SPF would fail. I can't come up with any examples where one would benefit from using both. If the setup allows for SPF, then DIKM should not add any extra validation.
Can anyone give me an example of the benefit of using both?
Best Answer
SPF has many more rankings than Pass/Fail. Using these in heuristically scoring spam makes the process easier and more accurate. Failing on account of "advanced setups" indicates the mail admin didn't know what he was doing in setting up the SPF record. There's no setup that SPF can't account for correctly.
Cryptography doesn't work in absolutes, ever. The only crypto allowed in DKIM usually takes significant resources to break. Most people consider this safe enough. Everyone should evaluate their own situations. Again, DKIM has more rankings than just Pass/Fail.
One example where one would benefit from using both: sending to two different parties where one checks SPF and the other checks DKIM. Another example, sending to a party with content that would normally rank highly in spam test, but that is offset by both DKIM and SPF, allowing the mail to be delivered.
Neither are required in most cases, though individual mail administrators set their own rules. Both help to address different facets of SPAM: SPF being who is relaying e-mail and DKIM being the integrity of e-mail and authenticity of origin.