The thing missing is that DMARC ensures alignment with the From header as well which SPF and DKIM don’t do.
SPF is about the domain in the envelope address.
DKIM signatures can reference any DKIM selector on any domain.
But DMARC also checks that the domains used match the domain of the From header. DMARC passes when at least one of the two is aligned. It’s possible to require strict alignment (exact domain) or allow subdomains as well.
SPF is about the domain in the envelope address.
DKIM signatures can reference any DKIM selector on any domain.
But DMARC also checks that the domains used match the domain of the From header. DMARC passes when at least one of the two is aligned. It’s possible to require strict alignment (exact domain) or allow subdomains as well.