This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 12%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello,
is it possible to implement DMARC record without DKIM.Only SPF record and DMARC.
Current SPF record looks like this:
v=spf1 mx include:spf.protection.outlook.com ip4:x.x.x.x ~all
I am planning to implement dmarc like this:
v=DMARC1; p=none; rua=mailto:@exampledomain.com; ruf=mailto:@exampledomain.com; fo=1
Any advice?
Thank you
A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.
The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.
Answer accepted by question author
Yes, you can do that:
https://dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/
I would read through this and understand the limitations if you dont deploy DKIM, otherwise you can do that, yes.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hi @Andy
Yes, it is possible to only use SPF and DMARC.
However, as documented in this link: Use DKIM to validate outbound email sent from your custom domain
In this example, the email is first sent by Contoso.com to Woodgrovebank.com, and later forwarded by Woodgrovebank.com to Outlook.com.
If you only setup SPF and DMARC without DKIM, the ip address of Woodgrovebank.com is not contained in the SPF record and Outlook.com will mark the forwarded email as spam since SPF (as well as DMARC) fails.
In this case, you may need to setup DKIM.
By default Microsoft 365 will enable DKIM for you.
For more details, please refer to this link: Use DKIM to validate outbound email sent from your custom domain
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Note thats only true for the default domain onmicrosoft.com , not the vanity domain which most orgs will send from.
Yes, you can set up DMARC without using DKIM and solely using DMARC and SPF. In this situation, the DKIM check always fails, leaving DMARC authentication to SPF check and SPF identifier alignment, which is still functional but not ideal.
Equation for DMARC authentication
The SPF authentication result and the DKIM authentication result are both important in determining the DMARC authentication result. When ANY of the following conditions are met, an email passes DMARC authentication:
To simplify things, consider the following:
"(SPF authentication pass AND SPF identifier alignment) OR (DMARC authentication pass) (DKIM authentication pass AND DKIM identifier alignment)"
DMARC without DKIM
Now that DKIM is missing, the equation becomes:
"SPF authentication pass AND SPF identifier alignment = DMARC authentication pass"
In other words, the outcome of DMARC authentication is fully determined by the result of SPF authentication and the presence of SPF identifier alignment.
DMARC.org
"
The first step for anybody sending email for business should be to start collecting and reviewing DMARC aggregate reports for their domain(s). The information these reports provide about all messages, legitimate or otherwise, that use your domain is very useful.
In addition to seeing whether or not somebody is impersonating your domain, these reports provide excellent visibility into all the authorized senders using your domain – even the ones nobody told you about. Every sizeable organization that has gone through this stage has discovered important, and sometimes shocking things about in-house servers or legitimate third-party senders using their domain.
No matter what your plans are for email authentication, and even if you aren’t using SPF or DKIM, you should start collecting and reviewing the aggregate reports for your domain.
"
https://dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/
So,I presume it is ok without dkim but I need to add p=none to dmarc record
"A none policy (p=none) is relaxed and provides zero enforcement, as every email that is received by the recipient’s email server lands into their inbox, whether or not they fail authentication. "
You start with "none", yes.
Then move to "quarantine" or "reject" once you feel you have identified all IPs that send as your org and have added them to your SPF record.