Can I Set Up DMARC without DKIM?

Home Can I Set Up DMARC without DKIM?

Can I Set Up DMARC without DKIM?

20th Feb 2024 DMARC DKIM

Yes, you can set up DMARC without DKIM and have only DMARC and SPF in the equation. In this case, DKIM check always fails and DMARC authentication result is up to SPF check and SPF identifier alignment, which still somewhat works but is less than optimal.

DMARC authentication equation

The DMARC authentication result hinges on the SPF authentication result and the DKIM authentication result. An email passes DMARC authentication when ANY of the following is true:

it passes SPF authentication and has SPF identifier alignment;
it passes DKIM authentication and has DKIM identifier alignment.

To put it into a simple equation:

DMARC authentication pass = (SPF authentication pass AND SPF identifier alignment) OR (DKIM authentication pass AND DKIM identifier alignment)

DMARC without DKIM

Now that DKIM is missing, the equation becomes:

DMARC authentication pass = SPF authentication pass AND SPF identifier alignment

In other words, SPF authentication result and the existence of SPF identifier alignment completely determine the outcome of DMARC authentication.

When SPF authentication fails...

All is good since SPF alone can authenticate legitimate emails.

But wait. What if SPF authentication fails?

For a direct email flow, a legitimate email coming from an authorized outgoing server gets authenticated by SPF. However, if an email is forwarded like in the email list scenario, SPF authentication can fail since the intermediate server's IP address is not on the SPF IP list.

When this happens, and if no DKIM is set up, the legitimate email fails DMARC authentication since it fails both SPF and DKIM authentication, in which case, it's a false negative.