DMARC without DKIM

Question

Hello,

is it possible to implement DMARC record without DKIM.Only SPF record and DMARC.

Current SPF record looks like this:
v=spf1 mx include:spf.protection.outlook.com ip4:x.x.x.x ~all

I am planning to implement dmarc like this:
v=DMARC1; p=none; rua=mailto:dmarc@exampledomain.com; ruf=mailto:dmarc@exampledomain.com; fo=1

Any advice?

Thank you

Answer 1

Yes, you can do that:
https://dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/

I would read through this and understand the limitations if you dont deploy DKIM, otherwise you can do that, yes.

Answer 2

Hi @fsdg

Yes, it is possible to only use SPF and DMARC.
However, as documented in this link: Use DKIM to validate outbound email sent from your custom domain

In this example, the email is first sent by Contoso.com to Woodgrovebank.com, and later forwarded by Woodgrovebank.com to Outlook.com.
If you only setup SPF and DMARC without DKIM, the ip address of Woodgrovebank.com is not contained in the SPF record and Outlook.com will mark the forwarded email as spam since SPF (as well as DMARC) fails.
In this case, you may need to setup DKIM.

---

By default Microsoft 365 will enable DKIM for you.

For more details, please refer to this link: Use DKIM to validate outbound email sent from your custom domain

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

DMARC.org

"

The first step for anybody sending email for business should be to start collecting and reviewing DMARC aggregate reports for their domain(s). The information these reports provide about all messages, legitimate or otherwise, that use your domain is very useful.

In addition to seeing whether or not somebody is impersonating your domain, these reports provide excellent visibility into all the authorized senders using your domain – even the ones nobody told you about. Every sizeable organization that has gone through this stage has discovered important, and sometimes shocking things about in-house servers or legitimate third-party senders using their domain.

No matter what your plans are for email authentication, and even if you aren’t using SPF or DKIM, you should start collecting and reviewing the aggregate reports for your domain.
"

https://dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/

So,I presume it is ok without dkim but I need to add p=none to dmarc record

"A none policy (p=none) is relaxed and provides zero enforcement, as every email that is received by the recipient’s email server lands into their inbox, whether or not they fail authentication. "

Answer 4

Yes, you can set up DMARC without using DKIM and solely using DMARC and SPF. In this situation, the DKIM check always fails, leaving DMARC authentication to SPF check and SPF identifier alignment, which is still functional but not ideal.

Equation for DMARC authentication

The SPF authentication result and the DKIM authentication result are both important in determining the DMARC authentication result. When ANY of the following conditions are met, an email passes DMARC authentication:

• It has SPF identifier alignment and passes SPF authentication;
• it has DKIM identifier alignment and passes DKIM authentication.

To simplify things, consider the following:

"(SPF authentication pass AND SPF identifier alignment) OR (DMARC authentication pass) (DKIM authentication pass AND DKIM identifier alignment)"

DMARC without DKIM

Now that DKIM is missing, the equation becomes:

"SPF authentication pass AND SPF identifier alignment = DMARC authentication pass"

In other words, the outcome of DMARC authentication is fully determined by the result of SPF authentication and the presence of SPF identifier alignment.