The answer is yes, you can configure DMARC without DKIM.
But is it a good idea to do so?
This article explores this question. And discusses the consequences of configuring DMARC without DKIM.
Understanding DMARC Authentication Standards
DMARC is a protocol that allows you to authenticate email messages from your domain. It uses a set of rules to determine whether or not an email message is legitimate.
SPF and DKIM are two other protocols that are used for authentication purposes in the context of DMARC.
SPF is an acronym for Sender Policy Framework—it specifies how mail providers can verify senders’ identities and block spam messages.
DKIM is an acronym for DomainKeys Identified Mail—it works by encrypting the message at the time it’s sent, then using public-key cryptography to sign it again when it reaches its destination server.
DMARC, SPF, and DKIM – when combined – form three pillars of email authentication. They ensure that your emails are not forged, tampered with, or hacked by third parties.
DMARC Assessment Algorithm
The DMARC assessment algorithm is a boolean value that takes into account the authentication results from SPF and DKIM. After which it determines whether or not to accept an email message as legitimate.
The result is dependent on two possible outcomes:
1. Pass: The email either passes both SPF and DKIM authentication OR just one of these. So it is considered to be clean. And is therefore accepted by the receiving server.
To put the “pass” authentication algorithm into simple equations:
| DMARC authentication pass = SPF record with a valid SPF identifier alignment + DKIM record with a valid DKIM identifier alignment |
OR (when DKIM is missing)
| DMARC authentication pass = SPF record with a valid SPF identifier alignment |
OR (when SPF is missing)
| DMARC authentication pass = DKIM record with a valid DKIM identifier alignment |
2. Fail: The message failed both SPF and DKIM authentication checks, indicating that it is either malformed or contains malicious content.
Can I Set Up DMARC without DKIM?
DMARC passes in the three following scenarios:
- both valid SPF and DKIM are there
- valid SPF without DKIM is there
- valid DKIM without SPF is there
So yes, you can set up DMARC without DKIM.
DMARC is built upon SPF and DKIM for authentication purposes, but they are orthogonal technologies.
In a general sense, SPF is a “path authorization” mechanism, which means it permits an IP to send messages on behalf of a given domain. DKIM, on the other hand, is a “content integrity” mechanism, which means it ensures that what you send doesn’t change when it reaches the server.
This means that they do not rely on each other for their effectiveness; they can be used in parallel or even independently of each other.
However, it is recommended that you use both SPF and DKIM together with DMARC as they work together to provide more robust DMARC authentication capabilities. DMARC without DKIM, though possible, is not a recommended practice.
How Do Email Clients Treat Emails without DKIM?
Most email clients treat emails that do not have DKIM as spam.
In some cases, this can result in the message being flagged by the receiver’s email server and marked as spam.
Some email service providers may also show your messages to recipients as originating from a different domain than what you intended.
For example, in Outlook and Gmail, your email without DKIM will display in the recipient’s inbox with the correct FROM address but being “sent by” or “via” someone else.
This can be confusing for recipients and may even lead them to believe that someone else sent them the message instead of you.
Example #1 (Outlook)
Fig.1 Without DKIM: Outlook shows the “sent by” address in the recipient’s inbox.
Fig.2 With DKIM: Outlook shows the FROM address only.
Example #2 (Gmail)
Fig.3 Without DKIM: Gmail shows “via” address in the recipient’s inbox.
Fig.4 With DKIM: Gmail shows the FROM address only.
If DKIM is present in your email, though, the above-mentioned problems aren’t likely to happen. The sending server is no longer shown on the client’s screen, so there’s less chance of going into spam or junk folders. And the only information they have is the FROM address—which means high trust factors for sending companies who are looking for customers through email marketing strategies.
Consequences of Setting Up DMARC with and DMARC without DKIM
Setting up DMARC with DKIM can help prevent your email messages from being flagged by spam filters and blocked.
However, setting up DMARC without DKIM can result in an increase in false positives as well as delays when a recipient tries to verify the sender’s email address.
In this section, we’ll look at some of the possible consequences of setting up DMARC with and DMARC without DKIM.
1. When Verifying Email Trust
With the SPF-based approach only, the DMARC protection would be limited to the invisible “envelope sender” addresses (MAIL FROM or Return-path). These are used for receiving bounces (Non-Delivery Reports) from senders.
However, when DKIM is combined with SPF, the DMARC protection is enabled for the “header From:” address as well as those addresses which are visible to recipients. Thereby, providing more sense of email trust than using DMARC with SPF alone.
2. When Forwarding Emails
SPF authentication works by sending an email that contains your SPF record (the IP address of the server you want to send emails from) to another server. The other server then authenticates whether or not this IP address is registered with them and returns with their own SPF record—if they don’t have one, they reject the request.
Now in the case of email forwarding, the SPF authentication can fail because there are no guarantees that the intermediate server’s IP address is on the SPF list for the sending domain. As a result of this, a legitimate email without a DKIM signature will fail the DMARC authentication, resulting in a false negative.
If DKIM had been configured on this domain, the false-negative would not have occurred.
But why?
The DKIM signature (d=) is attached to the email body itself, whereas SPF is attached to the ‘Return-Path’ header.
In the case of email forwarding, the body of the email is not touched or modified, therefore the DKIM signature (d=) contained within the email body stays intact. It means the identity of the sender can be verified with the public key and private key pair included in the email body and DMARC authentication is passed.
SPF, on the other hand, is attached to the ‘Return-Path’ header, which changes in the case of email forwarding. So its validity is not verified, resulting in a false negative.
To conclude, SPF authentication fails due to email forwarding, but DKIM survives email forwarding because it is attached to the email body. Therefore, it is important to set up DMARC with DKIM as well.
3. When Updating IP Address
When you send an email, the receiving server checks the email’s header to see if it has been tampered with. If it has, then the receiving server rejects your message and sends you a notification.
This is where SPF comes in. SPF checks that your IP address is listed as a valid one on the sending server’s SPF record (in other words, that there are no spoofed IP addresses).
If your IP address changes, then your SPF record needs to be updated with the new address. The time that this takes depends on how often you change your IP address—in most cases, it takes up to 48 hours for the new SPF record to go into effect.
So what will happen if your email provider adds a new IP to their range? In this case, your email delivery may be delayed because of the propagation time of the SPF record update.
However, once you have both DKIM and SPF configured, you can get around this problem by using DKIM’s cryptographic signature to prove that the mail server at [email protected] was authorized to send it.
This means that even if their IP range changes, DKIM will still be able to verify that emails coming from certain domains are authentic and legitimate.
Using DMARC without DKIM: The Possible OK/FAIL Scenarios
When you use the DKIM and SPF mechanisms, you’re effectively using two different tools to achieve the same goal: preventing spoofing.
They both work independently, but they can fail independently as well. For instance, SPF can fail independently of DKIM, and DKIM can fail independently of SPF.
Here are the four possible OK/FAIL scenarios of setting up DMARC without or without DKIM:
| Scenario | Meaning | Email Delivery Status |
| SPF ok, DKIM ok | It ensures that emails are sent from a legitimate source. The server is authorized to send mail because it has a valid SPF record and a valid DKIM signature. | Delivered in inbox |
| SPF ok, DKIM fails | It means that the mail is delivered by an authorized server, but the validation of its DKIM signature fails. | Delivered in spam or junk folder |
| SPF fails, DKIM ok | It means the mail’s DKIM signature is valid, but the sending server does not have the authorization to deliver the mail. | Delivered in spam or junk folder |
| SPF fails, DKIM fails | If both SPF and DKIM fail, then an email is considered to be spoofed and will be rejected by any recipient’s DMARC-enabled mail server. | Not Delivered / Rejected |
A Complete DMARC Implementation Is The Need Of The Hour!
SPF and DKIM are the most common email protection mechanisms used for implementing a proper DMARC record to prevent email spoofing. When a proper DMARC implementation is applied to your existing email infrastructure, your email messages are delivered as intended. This means fewer spam complaints, fewer false positives in blacklists, and better deliverability statistics for all of your subscribers.
PowerDMARC offers complete DMARC implementation services with DKIM, SPF, and DMARC policies created for your domain. Thereby, helping you achieve more reliable results from your emails.
Generate DKIM record online or grab your free DMARC trial for a complete solution to the complex and ever-changing world of email security.
- Email Data Loss Prevention with DMARC - August 8, 2022
- DMARC Subdomain Delegation - August 5, 2022
- Who is a DMARC Advisor & Why Do You Need One? - August 4, 2022
