question

fsdg-2871 avatar image
0 Votes"
fsdg-2871 asked emailauth answered

DMARC without DKIM

Hello,

is it possible to implement DMARC record without DKIM.Only SPF record and DMARC.

Current SPF record looks like this:
v=spf1 mx include:spf.protection.outlook.com ip4:x.x.x.x ~all

I am planning to implement dmarc like this:
v=DMARC1; p=none; rua=mailto:dmarc@exampledomain.com; ruf=mailto:dmarc@exampledomain.com; fo=1

Any advice?


Thank you

office-exchange-online-itprooffice-exchange-server-mailflow
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered

Yes, you can do that:
https://dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/

I would read through this and understand the limitations if you dont deploy DKIM, otherwise you can do that, yes.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KaelYao-MSFT avatar image
1 Vote"
KaelYao-MSFT answered AndyDavid commented

Hi @fsdg-2871

Yes, it is possible to only use SPF and DMARC.
However, as documented in this link: Use DKIM to validate outbound email sent from your custom domain

87980-34.jpg

In this example, the email is first sent by Contoso.com to Woodgrovebank.com, and later forwarded by Woodgrovebank.com to Outlook.com.
If you only setup SPF and DMARC without DKIM, the ip address of Woodgrovebank.com is not contained in the SPF record and Outlook.com will mark the forwarded email as spam since SPF (as well as DMARC) fails.
In this case, you may need to setup DKIM.


By default Microsoft 365 will enable DKIM for you.
87947-34.png
For more details, please refer to this link: Use DKIM to validate outbound email sent from your custom domain


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


34.jpg (86.2 KiB)
34.png (21.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Note thats only true for the default domain onmicrosoft.com , not the vanity domain which most orgs will send from.

0 Votes 0 ·
fsdg-2871 avatar image
0 Votes"
fsdg-2871 answered KaelYao-MSFT commented


DMARC.org

"

The first step for anybody sending email for business should be to start collecting and reviewing DMARC aggregate reports for their domain(s). The information these reports provide about all messages, legitimate or otherwise, that use your domain is very useful.

In addition to seeing whether or not somebody is impersonating your domain, these reports provide excellent visibility into all the authorized senders using your domain – even the ones nobody told you about. Every sizeable organization that has gone through this stage has discovered important, and sometimes shocking things about in-house servers or legitimate third-party senders using their domain.

No matter what your plans are for email authentication, and even if you aren’t using SPF or DKIM, you should start collecting and reviewing the aggregate reports for your domain.
"

https://dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/

So,I presume it is ok without dkim but I need to add p=none to dmarc record

"A none policy (p=none) is relaxed and provides zero enforcement, as every email that is received by the recipient’s email server lands into their inbox, whether or not they fail authentication. "

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You start with "none", yes.
Then move to "quarantine" or "reject" once you feel you have identified all IPs that send as your org and have added them to your SPF record.

1 Vote 1 ·

Hi @fsdg-2871

Do suggestions above help? If you have any questions or needed further help on this issue, please feel free to post back.

0 Votes 0 ·
emailauth avatar image
0 Votes"
emailauth answered

Yes, you can set up DMARC without using DKIM and solely using DMARC and SPF. In this situation, the DKIM check always fails, leaving DMARC authentication to SPF check and SPF identifier alignment, which is still functional but not ideal.

197600-dmarc-infographic-update.jpg

Equation for DMARC authentication

The SPF authentication result and the DKIM authentication result are both important in determining the DMARC authentication result. When ANY of the following conditions are met, an email passes DMARC authentication:

  • It has SPF identifier alignment and passes SPF authentication;

  • it has DKIM identifier alignment and passes DKIM authentication.

To simplify things, consider the following:

"(SPF authentication pass AND SPF identifier alignment) OR (DMARC authentication pass) (DKIM authentication pass AND DKIM identifier alignment)"

DMARC without DKIM

Now that DKIM is missing, the equation becomes:

"SPF authentication pass AND SPF identifier alignment = DMARC authentication pass"

In other words, the outcome of DMARC authentication is fully determined by the result of SPF authentication and the presence of SPF identifier alignment.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.