DMARC without SPF

Yes, you can set up DMARC without SPF. It is a possibility that you can explore, that a lot of vendors and domain owners do exercise in real-time. This type of deployment practice is however not recommended since a multilayered approach to security can help you combat evolving social engineering attacks. SPF allows you to define a set of authorized senders for your domain which cuts down on spam and helps in achieving compliance, making it a valuable addition to your existing email security posture.

If you still want to leave SPF completely out of the picture here’s how you can do it:

  • Understand how DMARC functions to analyze what works best for you
  • Set up the other necessary standards for an effective roll-out (without SPF)
  • Activate a reporting mechanism for safer deployment and visibility

The DMARC deployment infrastructure

Domain-based Message Authentication, Reporting, and Conformance (DMARC) might seem like a mouthful, but the way it operates is relatively simpler! The functionality of DMARC is dependent on the existence of either of the two standard authentication protocols- DKIM and SPF. Note that I said “either” of the two, signifying that DMARC DOES NOT require both the protocols to function. 

This means that for your messages to pass DMARC authentication on the receiver’s side, it has to align with either SPF (pass SPF check) or DKIM (pass DKIM check), and not both. 

As soon as your email passes SPF or DKIM identifier alignment, it will automatically pass through the DMARC authentication gateway and safely reach your client’s inbox without being blocked or marked as spam.

This means that to set up DMARC without SPF you need to:

  1. Set up DKIM for your domain
  2. Set up DMARC for your domain
  3. Activate reporting to maintain and monitor deliverability

Setting up DMARC without SPF

Step 1: Create and publish a record for DKIM

While doing so you need to make sure you don’t publish more than a single record for the same domain. This simple mistake can invalidate your record and lead to authentication failures.

Use our DKIM generator to create an instant public-private key pair along with a suitable DKIM selector. Publish this record on your DNS to activate the protocol.

Step 2: Create and publish a record for DMARC

Create a single DMARC record for each of your domains using our DMARC generator tool and publish it by accessing your DNS. Your record must have a policy defined for it (reject/quarantine/none)

Note that a DMARC reject policy would not hurt your email deliverability, it would rather work as a stronger gateway against impersonation attacks and spoofing. A none policy on the other hand will provide no protection but is beneficial if you’re just starting out and want to simply monitor your results.

The importance of enabling DMARC reports for safe deployment

If you want to implement DMARC without SPF, you need to enable the reporting mechanism that the protocol generously provides. Once activated you will then receive daily updates in the form of XML files sent to your configured email address or web server.

If you have a PowerDMARC account, we automatically parse your XML files in an organized manner which you can view on your exclusive DMARC report analyzer dashboard. Here’s what it looks like:

The benefits of activating reports are multiple:

  • It can reduce your incident response time by a mile
  • You will stay abreast of any attempted email security attack or data breach
  • It will keep you informed on all email delivery or authentication failures
  • It will help you track your email’s performance and deliverability

What’s your surest bet?

Security experts and industry specialists have been advocating organizations to exercise a multilayered approach towards domain security. Therefore, implementing both SPF and DKIM before activating DMARC is your surest bet at ensuring adequate protection against cyber scams. This will eventually help you achieve 100% DMARC compliance on your emails. We highly recommend implementing SPF. You can sign up for a free DMARC Analyzer now to get the best email authentication backup from a dedicated team of security experts.

Latest posts by Syuzanna Papazyan (see all)