Can I Set Up DMARC without DKIM?

DMARC DKIM

Yes, you can set up DMARC without DKIM and have only DMARC and SPF in the equation. In this case, DKIM check always fails and DMARC authentication result is up to SPF check and SPF identifier alignment, which still somewhat works but is less than optimal.

DMARC authentication equation

The DMARC authentication result hinges on the SPF authentication result and the DKIM authentication result. An email passes DMARC authentication when ANY of the following is true:

  • it passes SPF authentication and has SPF identifier alignment;
  • it passes DKIM authentication and has DKIM identifier alignment.

To put it into a simple equation:

DMARC authentication pass = (SPF authentication pass AND SPF identifier alignment) OR (DKIM authentication pass AND DKIM identifier alignment)

DMARC without DKIM

Now that DKIM is missing, the equation becomes:

DMARC authentication pass = SPF authentication pass AND SPF identifier alignment

In other words, SPF authentication result and the existence of SPF identifier alignment completely determine the outcome of DMARC authentication.

When SPF authentication fails...

All is good since SPF alone can authenticate legitimate emails.

But wait. What if SPF authentication fails?

For a direct email flow, a legitimate email coming from an authorized outgoing server gets authenticated by SPF. However, if an email is forwarded like in the email list scenario, SPF authentication can fail since the intermediate server's IP address is not on the SPF IP list.

When this happens, and if no DKIM is set up, the legitimate email fails DMARC authentication since it fails both SPF and DKIM authentication, in which case, it's a false negative.

A full DMARC implementation is your best bet

As discussed above, having DKIM set up in your DMARC implementation increases the possibility of legitimate emails passing DMARC authentication.

Since most email services allow you to set up both SPF and DKIM, you definitely should set up DKIM alongside SPF.

Does DMARC require DKIM?

No. DKIM is not required by DMARC. However, setting up DKIM keeps false negatives in DMARC authentication at the minimum.

Previous Post Next Post

 Protect Your Business Email

Get a 14 day trial. No credit card required.

Create Account