What is the difference between SPF and DKIM results in headers?

Both appear in Authentication-Results, but they verify different things:

SPF results verify whether the sending IP address is authorized to send for the envelope sender domain (Return-Path).

• spf=pass: IP is listed in the domain's SPF record
• spf=fail: IP is explicitly not allowed
• spf=softfail: IP isn't allowed but domain isn't certain (using ~all)
• spf=neutral: Domain expresses no opinion (?all)
• spf=none: No SPF record exists
• The smtp.mailfrom field shows which domain was checked.

DKIM results verify the cryptographic signature proving the message wasn't altered and came from a server with the domain's private key.

• dkim=pass: Signature validates
• dkim=fail: Signature invalid (message altered or key mismatch)
• dkim=none: No signature present
• The header.d or header.i shows the signing domain; header.s shows the selector.

You can pass one and fail the other. SPF failing while DKIM passes often indicates forwarding (SPF checked new IP; DKIM signature preserved). DMARC requires at least one to pass and align.