• Log In
  • Sign Up
  • Contact Us
PowerDMARC
  • Features
    • PowerDMARC
    • Hosted DKIM
    • PowerSPF
    • PowerBIMI
    • PowerMTA-STS
    • PowerTLS-RPT
    • PowerAlerts
    • Reputation Monitoring
  • Services
    • Deployment Services
    • Managed Services
    • Support Services
    • Service Benefits
  • Pricing
  • Power Toolbox
  • Partners
    • Reseller Program
    • MSSP Program
    • Technology Partners
    • Industry Partners
    • Become a Partner
  • Resources
    • DMARC: What is it and How does it Work?
    • Datasheets
    • Case Studies
    • Blog
    • DMARC Training
    • DMARC in Your Country
    • DMARC by Industry
    • Support
  • About
    • Our company
    • Clients
    • Contact us
    • Book a demo
    • Events
  • Menu Menu

Can I set up DMARC without DKIM?

Blogs
Can I set up DMARC without DKIM

The answer is yes, you can configure DMARC without DKIM.

But is it a good idea to do so?

This article explores this question. And discusses the consequences of configuring DMARC without DKIM.

Understanding DMARC Authentication Standards

DMARC is a protocol that allows you to authenticate email messages from your domain. It uses a set of rules to determine whether or not an email message is legitimate.

SPF and DKIM are two other protocols that are used for authentication purposes in the context of DMARC.

SPF is an acronym for Sender Policy Framework—it specifies how mail providers can verify senders’ identities and block spam messages.

DKIM is an acronym for DomainKeys Identified Mail—it works by encrypting the message at the time it’s sent, then using public-key cryptography to sign it again when it reaches its destination server.

DMARC, SPF, and DKIM – when combined – form three pillars of email authentication. They ensure that your emails are not forged, tampered with, or hacked by third parties.

DMARC Assessment Algorithm 

The DMARC assessment algorithm is a boolean value that takes into account the authentication results from SPF and DKIM. After which it determines whether or not to accept an email message as legitimate.

The result is dependent on two possible outcomes:

1. Pass: The email either passes both SPF and DKIM authentication OR just one of these. So it is considered to be clean. And is therefore accepted by the receiving server.

To put the “pass” authentication algorithm into simple equations:

DMARC authentication pass = SPF record with a valid SPF identifier alignment + DKIM record with a valid DKIM identifier alignment

OR (when DKIM is missing)

DMARC authentication pass = SPF record with a valid SPF identifier alignment

OR (when SPF is missing)

DMARC authentication pass = DKIM record with a valid DKIM identifier alignment

2. Fail: The message failed both SPF and DKIM authentication checks, indicating that it is either malformed or contains malicious content.

Can I Set Up DMARC without DKIM?

DMARC passes in the three following scenarios:

  1. both valid SPF and DKIM are there
  2. valid SPF without DKIM is there
  3. valid DKIM without SPF is there

So yes, you can set up DMARC without DKIM.

DMARC is built upon SPF and DKIM for authentication purposes, but they are orthogonal technologies.

In a general sense, SPF is a “path authorization” mechanism, which means it permits an IP to send messages on behalf of a given domain. DKIM, on the other hand, is a “content integrity” mechanism, which means it ensures that what you send doesn’t change when it reaches the server.

This means that they do not rely on each other for their effectiveness; they can be used in parallel or even independently of each other.

However, it is recommended that you use both SPF and DKIM together with DMARC as they work together to provide more robust DMARC authentication capabilities. DMARC without DKIM, though possible, is not a recommended practice. 

How Do Email Clients Treat Emails without DKIM?

Most email clients treat emails that do not have DKIM as spam.

In some cases, this can result in the message being flagged by the receiver’s email server and marked as spam.

Some email service providers may also show your messages to recipients as originating from a different domain than what you intended.

For example, in Outlook and Gmail, your email without DKIM will display in the recipient’s inbox with the correct FROM address but being “sent by” or “via” someone else.

This can be confusing for recipients and may even lead them to believe that someone else sent them the message instead of you.

Example #1 (Outlook)

Fig.1 Without DKIM: Outlook shows the “sent by” address in the recipient’s inbox.

Fig.2 With DKIM: Outlook shows the FROM address only.

Example #2 (Gmail)

Fig.3 Without DKIM: Gmail shows “via” address in the recipient’s inbox.

Fig.4 With DKIM: Gmail shows the FROM address only.

If DKIM is present in your email, though, the above-mentioned problems aren’t likely to happen. The sending server is no longer shown on the client’s screen, so there’s less chance of going into spam or junk folders. And the only information they have is the FROM address—which means high trust factors for sending companies who are looking for customers through email marketing strategies.

Consequences of Setting Up DMARC with and DMARC without DKIM

Setting up DMARC with DKIM can help prevent your email messages from being flagged by spam filters and blocked.

However, setting up DMARC without DKIM can result in an increase in false positives as well as delays when a recipient tries to verify the sender’s email address.

In this section, we’ll look at some of the possible consequences of setting up DMARC with and DMARC without DKIM.

1. When Verifying Email Trust

With the SPF-based approach only, the DMARC protection would be limited to the invisible “envelope sender” addresses (MAIL FROM or Return-path). These are used for receiving bounces (Non-Delivery Reports) from senders.

However, when DKIM is combined with SPF, the DMARC protection is enabled for the “header From:” address as well as those addresses which are visible to recipients. Thereby, providing more sense of email trust than using DMARC with SPF alone.

2. When Forwarding Emails

SPF authentication works by sending an email that contains your SPF record (the IP address of the server you want to send emails from) to another server. The other server then authenticates whether or not this IP address is registered with them and returns with their own SPF record—if they don’t have one, they reject the request.

Now in the case of email forwarding, the SPF authentication can fail because there are no guarantees that the intermediate server’s IP address is on the SPF list for the sending domain. As a result of this, a legitimate email without a DKIM signature will fail the DMARC authentication, resulting in a false negative.

If DKIM had been configured on this domain, the false-negative would not have occurred.

But why?

The DKIM signature (d=) is attached to the email body itself, whereas SPF is attached to the ‘Return-Path’ header.

In the case of email forwarding, the body of the email is not touched or modified, therefore the DKIM signature (d=) contained within the email body stays intact. It means the identity of the sender can be verified with the public key and private key pair included in the email body and DMARC authentication is passed.

SPF, on the other hand, is attached to the ‘Return-Path’ header, which changes in the case of email forwarding. So its validity is not verified, resulting in a false negative.

To conclude, SPF authentication fails due to email forwarding, but DKIM survives email forwarding because it is attached to the email body. Therefore, it is important to set up DMARC with DKIM as well.

3. When Updating IP Address

When you send an email, the receiving server checks the email’s header to see if it has been tampered with. If it has, then the receiving server rejects your message and sends you a notification.

This is where SPF comes in. SPF checks that your IP address is listed as a valid one on the sending server’s SPF record (in other words, that there are no spoofed IP addresses).

If your IP address changes, then your SPF record needs to be updated with the new address. The time that this takes depends on how often you change your IP address—in most cases, it takes up to 48 hours for the new SPF record to go into effect.

So what will happen if your email provider adds a new IP to their range? In this case, your email delivery may be delayed because of the propagation time of the SPF record update.

However, once you have both DKIM and SPF configured, you can get around this problem by using DKIM’s cryptographic signature to prove that the mail server at [email protected] was authorized to send it.

This means that even if their IP range changes, DKIM will still be able to verify that emails coming from certain domains are authentic and legitimate.

Using DMARC without DKIM: The Possible OK/FAIL Scenarios

When you use the DKIM and SPF mechanisms, you’re effectively using two different tools to achieve the same goal: preventing spoofing.

They both work independently, but they can fail independently as well. For instance, SPF can fail independently of DKIM, and DKIM can fail independently of SPF.

Here are the four possible OK/FAIL scenarios of setting up DMARC without or without DKIM:

 

Scenario Meaning Email Delivery Status
SPF ok, DKIM ok It ensures that emails are sent from a legitimate source. The server is authorized to send mail because it has a valid SPF record and a valid DKIM signature. Delivered in inbox
SPF ok, DKIM fails It means that the mail is delivered by an authorized server, but the validation of its DKIM signature fails. Delivered in spam or junk folder
SPF fails, DKIM ok It means the mail’s DKIM signature is valid, but the sending server does not have the authorization to deliver the mail. Delivered in spam or junk folder
SPF fails, DKIM fails If both SPF and DKIM fail, then an email is considered to be spoofed and will be rejected by any recipient’s DMARC-enabled mail server. Not Delivered / Rejected

 A Complete DMARC Implementation Is The Need Of The Hour!

SPF and DKIM are the most common email protection mechanisms used for implementing a proper DMARC record to prevent email spoofing. When a proper DMARC implementation is applied to your existing email infrastructure, your email messages are delivered as intended. This means fewer spam complaints, fewer false positives in blacklists, and better deliverability statistics for all of your subscribers.

PowerDMARC offers complete DMARC implementation services with DKIM, SPF, and DMARC policies created for your domain. Thereby, helping you achieve more reliable results from your emails.

Generate DKIM record online or grab your free DMARC trial for a complete solution to the complex and ever-changing world of email security.

DMARC without DKIM

  • About
  • Latest Posts
Ahona Rudra
Digital Marketing & Content Writer Manager at PowerDMARC
Ahona works as a Digital Marketing and Content Writer Manager at PowerDMARC. She is a passionate writer, blogger, and marketing specialist in cybersecurity and information technology.
Latest posts by Ahona Rudra (see all)
  • Web Security 101 – Best Practices and Solutions - November 29, 2023
  • What is Email Encryption and What are its Various Types? - November 29, 2023
  • What is MTA-STS? Setup the Right MTA STS Policy - November 25, 2023
June 28, 2022/by Ahona Rudra
Tags: configure DMARC without DKIM, DMARC without DKIM, How to set up DMARC without DKIM, set up DMARC without DKIM
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
  • Share by Mail

Secure Your Email

Stop Email Spoofing and Improve Email Deliverability

15-day Free trial!


Categories

  • Blogs
  • News
  • Press Releases

Latest Blogs

  • Web Security 101 - Best Practices and Solutions
    Web Security 101 – Best Practices and SolutionsNovember 29, 2023 - 4:52 pm
  • What-is-Email-Encryption-and-What-are-its-Various-Types
    What is Email Encryption and What are its Various Types?November 29, 2023 - 12:39 pm
  • mta sts blog
    What is MTA-STS? Setup the Right MTA STS PolicyNovember 25, 2023 - 3:02 pm
  • DMARC without DKIM
    DMARC Black Friday: Fortify Your Emails This Holiday SeasonNovember 23, 2023 - 8:00 pm
logo footer powerdmarc
SOC2 GDPR PowerDMARC GDPR comliant crown commercial service
global cyber alliance certified powerdmarc csa

Knowledge

What is Email Authentication?
What is DMARC?
What is DMARC Policy?
What is SPF?
What is DKIM?
What is BIMI?
What is MTA-STS?
What is TLS-RPT?
What is RUA?
What is RUF?
AntiSpam vs DMARC
DMARC Alignment
DMARC Compliance
DMARC Enforcement
BIMI Implementation Guide
Permerror
MTA-STS & TLS-RPT Implementation Guide

Tools

Free DMARC Record Generator
Free DMARC Record Checker
Free SPF Record Generator
Free SPF Record Lookup
Free DKIM Record Generator
Free DKIM Record Lookup
Free BIMI Record Generator
Free BIMI Record Lookup
Free FCrDNS Record Lookup
Free TLS-RPT Record Checker
Free MTA-STS Record Checker
Free TLS-RPT Record Generator

Product

Product Tour
Features
PowerSPF
PowerBIMI
PowerMTA-STS
PowerTLS-RPT
PowerAlerts
Reputation Monitoring
API Documentation
Managed Services
Email Spoofing Protection
Brand Protection
Anti Phishing
DMARC for Office365
DMARC for Google Mail GSuite
DMARC for Zimbra
Free DMARC Training

Try Us

Contact Us
Free Trial
Book Demo
Partnership
Pricing
FAQ
Support
Blog
Events
Feature Request
Change Log
System Status

  • Français
  • Dansk
  • Nederlands
  • Deutsch
  • Русский
  • Polski
  • Español
  • Italiano
  • 日本語
  • 中文 (简体)
  • Português
  • Norsk
  • Svenska
  • 한국어
© PowerDMARC is a registered trademark.
  • Twitter
  • Youtube
  • LinkedIn
  • Facebook
  • Instagram
  • Contact us
  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • Security Policy
  • Compliance
  • GDPR Notice
  • Sitemap
Is DMARC Free?Is DMARC FreeCybersecurity Compliance 101Cybersecurity Compliance 101
Scroll to top