SPF and DMARC - do we require both?

DaNmAN 201 Reputation points


I have setup SPF in my domain and it is working as expected.

It has been suggested that I also setup dmarc to work alongside this for extra security.

I have read on various sites that SPF has the following limitations

SPF does not require any alignment between the end-user's visible domain and the typically invisible Return-Path that it actually checks.

My query is around the part stating that SPF does not require any alignment between the From address and the return path address. Why would this even matter as if the IP the email comes from doesn't match the IP in my SPF record then SPF will fail and the email will be rejected.

Why in this case would it matter if the from address does not match the return path? If someone attempts to send pretending to be from my domain surely the IP address they send from will not match the IP in the SPF record so DMARC is not really required?

I understand however if an email is forwarded then SPF might fail as the IP will change so is that when DMARC would be useful?

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,389 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 142.7K Reputation points MVP

    So consider a scenario where someone is spoofing your domain by setting the FROM as your domain and it passes SPF because the messages are really coming from that compromised IP address even though the return-path (the mail from) isn't your domain.

    Those messages will pass SPF and will be accepted by the recipients.

    However, if you are using DMARC and the recipient domain is checking, it will fail DMARC because the return-path ( though sent from a valid IP that isnt yours) doesnt match the FROM in the header.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Joyce Shen - MSFT 16,646 Reputation points

    Hi @DaNmAN

    Agree with Andy, and the official document introduces the scenario as well:
    How do SPF and DMARC work together to protect email in Microsoft 365?


    SPF uses a DNS TXT record to provide a list of authorized sending IP addresses for a given domain. Normally, SPF checks are only performed against the 5321.MailFrom address. This means that the 5322.From address is not authenticated when you use SPF by itself. This allows for a scenario where a user can receive a message, which passes an SPF check but has a spoofed 5322.From sender address.

    In this transcript, the sender addresses are as follows:

    Mail from address (5321.MailFrom): phish@phishing.contoso.com

    From address (5322.From): security@woodgrovebank.com

    If you configured SPF, then the receiving server performs a check against the Mail from address phish@phishing.contoso.com. If the message came from a valid source for the domain phishing.contoso.com, then the SPF check passes. Since the email client only displays the From address, the user sees that this message came from security@woodgrovebank.com. With SPF alone, the validity of woodgrovebank.com was never authenticated.

    When you use DMARC, the receiving server also performs a check against the From address. In the example above, if there is a DMARC TXT record in place for woodgrovebank.com, then the check against the From address fails.

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. DaNmAN 201 Reputation points

    thanks both that has helped greatly

    0 comments No comments