DMARC requires either valid, aligned SPF or valid, aligned DKIM. That's how DMARC works. DKIM provides a way to verify signed email but doesn't enforce it, so it doesn't prevent spoofing alone, since it's not mandatory. SPF hardly does anything without DMARC due to alignment.
Conversation
Yes, I largely agree.
I’ve had SPF, DKIM, and DMARC configured on my domains for years.
The key word is “either” mei ONT that one (SPF) is sufficient for DMARC.
Should you have DKIM too? Yes.
Is DKIM technically required? I don’t think so.
1
I’d have to go back and re-read minutia of multiple RFCs.
But I’d rather exert less effort and use DKIM. Like I have done.
1
No one said DKIM is required. To prevent spoofing email from a domain to properly configured servers, only a DMARC p=reject policy is required. That requires that there is either valid, aligned DKIM or valid, aligned SPF. Lack of a DKIM / SPF setup will result in rejection.
1
If you want to extend the topic to actually sending email that passes DMARC, then sure, you can implement that with either SPF or DKIM instead of both. That's how DMARC works. However, if you only do SPF, you won't be able to send email via mailing lists / relays like with DKIM.
2
DKIM + DMARC is a lot more flexible because mails can be forwarded as usual, and it remains valid as long as there's no tampering with the email. A mailing list can still prepend List-Unsubscribe and other headers that aren't oversigned. DMARC with SPF only works directly.
2
1
If I configure DKIM and DMARC, I should _not_ have SPF records? Various (unauthoritative) sources had me convinced that I needed SPF as well.
I ran mailing lists for many years without problems (and without DMARC, DKIM, and SPF), but last year that became unworkable.
2
DMARC verification will pass with DMARC and DKIM set up properly. A DMARC policy with p=reject is fully compatible with mailing lists as long as they don't tamper with emails. Mailing list software should leave emails alone. They shouldn't tamper with signed headers / content.
2
1
1
Mailing list software has mostly been updated to be compatible with DMARC by respecting DKIM. If the software is misconfigured to tamper with emails while still claiming they came from the original source, which is not true, DMARC will result in them being rejected/quarantined.
1
1
1
Solution: do not spoof emails. Mailing list software can still add List-Unsubscribe and other headers that are not oversigned. It can modify headers that are not signed. If the administrator insists on modifying the subject, content, etc. then the software has to change FROM.
1
1
1
It makes sense to set up a hard fail SPF record. However, you don't need SPF to pass DMARC. You need DKIM to pass DMARC in a way that works with relays / mailing lists. SPF is optional. SPF without DMARC is pretty close to useless. You might as well set up hard fail SPF though.
A hard fail SPF policy permitting only your mail server will NOT reduce compatibility with mailing lists. SPF passes based on MAIL FROM. Only DMARC requires alignment between SPF and the FROM header, and if there's a valid DKIM signature, it's not needed. One is needed, not both.
1
1