Reputation: 8030
DMARC without SPF
Although it is not possible to implement a complete DMARC policy with only SPF, due to forwarded emails, is it still possibible to implement a proper DMARC policy with only DKIM?
Upvotes: 2
Views: 1115
Answers (1)
Reputation: 11
Yes, it's possible to protect an e-mail domain via DMARC policy solely with the DKIM digital signing technique in place.
The reason is that DMARC requires either SPF OR DKIM checks to pass, not necessarily both.
For more details see: https://datatracker.ietf.org/doc/html/rfc7489#section-2.1 or this similar question: https://serverfault.com/q/812367/268257
However such setup would limit DMARC policy protection only to "header From:" addresses that are typically visible to recipients.
To protect also the invisible "envelope sender" addresses (aka MAIL FROM or Return-Path), used for receiving bounces (Non-Delivery Reports), it's recommended to use the SPF, which is focused on that.
The SPF is also useful when sending emails to recipients that are lacking DMARC support as it gives them at least some hints about sender's authorization.
Thus the best setup is to combine both DKIM and SPF.
Upvotes: 1
Related Questions
- DKIM and DMARC set up on dedicate 1and1 server
- DMARC -spf and DKIM record queries
- Gmail Spam Issue - How to properly setup DKIM & DMARC
- Why SPF fail and DKIM passed in DMARC reports?
- Emails with DMARC: 'FAIL' even though it passes from the https://mxtoolbox.com validator
- SPF + DKIM + DMARC = Passed yet message ends in spam
- DMARC allow from third party
- DMARC behaviour on Gmail
- Understand DMARC Email Record
- DMARC/SPF/DKIM not authenticating with third-party mail