Yes, you can set up DMARC without DKIM and have only DMARC and SPF in the equation. In this case, DKIM check always fails and DMARC authentication result is up to SPF check and SPF identifier alignment, which still somewhat works but is less than optimal.
DMARC authentication equation
The DMARC authentication result hinges on the SPF authentication result and the DKIM authentication result. An email passes DMARC authentication when ANY of the following is true:
- it passes SPF authentication and has SPF identifier alignment;
- it passes DKIM authentication and has DKIM identifier alignment.
To put it into a simple equation:
DMARC authentication pass = (SPF authentication pass AND SPF identifier alignment) OR (DKIM authentication pass AND DKIM identifier alignment)
DMARC without DKIM
Now that DKIM is missing, the equation becomes:
DMARC authentication pass = SPF authentication pass AND SPF identifier alignment
In other words, SPF authentication result and the existence of SPF identifier alignment completely determine the outcome of DMARC authentication.
When SPF authentication fails...
All is good since SPF alone can authenticate legitimate emails.
But wait. What if SPF authentication fails?
For a direct email flow, a legitimate email coming from an authorized outgoing server gets authenticated by SPF. However, if an email is forwarded like in the email list scenario, SPF authentication can fail since the intermediate server's IP address is not on the SPF IP list.
When this happens, and if no DKIM is set up, the legitimate email fails DMARC authentication since it fails both SPF and DKIM authentication, in which case, it's a false negative.
A full DMARC implementation is your best bet
As discussed above, having DKIM set up in your DMARC implementation increases the possibility of legitimate emails passing DMARC authentication.
Since most email services allow you to set up both SPF and DKIM, you definitely should set up DKIM alongside SPF.
Does DMARC require DKIM?
No. DKIM is not required by DMARC. However, setting up DKIM keeps false negatives in DMARC authentication at the minimum.
Protect Your Business Email
Get a 14 day trial. No credit card required.Create Account