What is the difference between SPF and DKIM results in headers?

Both appear in Authentication-Results, but they verify different things:

SPF results verify whether the sending IP address is authorized to send for the envelope sender domain (Return-Path).

spf=pass: IP is listed in the domain's SPF record

spf=fail: IP is explicitly not allowed

spf=softfail: IP isn't allowed but domain isn't certain (using ~all)

spf=neutral: Domain expresses no opinion (?all)

spf=none: No SPF record exists

The smtp.mailfrom field shows which domain was checked.

DKIM results verify the cryptographic signature proving the message wasn't altered and came from a server with the domain's private key.

dkim=pass: Signature validates

dkim=fail: Signature invalid (message altered or key mismatch)

dkim=none: No signature present

The header.d or header.i shows the signing domain; header.s shows the selector.

You can pass one and fail the other. SPF failing while DKIM passes often indicates forwarding (SPF checked new IP; DKIM signature preserved). DMARC requires at least one to pass and align.