If you want to extend the topic to actually sending email that passes DMARC, then sure, you can implement that with either SPF or DKIM instead of both. That's how DMARC works. However, if you only do SPF, you won't be able to send email via mailing lists / relays like with DKIM.
Conversation
DKIM + DMARC is a lot more flexible because mails can be forwarded as usual, and it remains valid as long as there's no tampering with the email. A mailing list can still prepend List-Unsubscribe and other headers that aren't oversigned. DMARC with SPF only works directly.
2
1
If I configure DKIM and DMARC, I should _not_ have SPF records? Various (unauthoritative) sources had me convinced that I needed SPF as well.
I ran mailing lists for many years without problems (and without DMARC, DKIM, and SPF), but last year that became unworkable.
2
DMARC verification will pass with DMARC and DKIM set up properly. A DMARC policy with p=reject is fully compatible with mailing lists as long as they don't tamper with emails. Mailing list software should leave emails alone. They shouldn't tamper with signed headers / content.
2
1
1
Not if there is also an SPF record that rejects the mailing lists MTA and a DMARC policy that wants both SPF and DKIM to pass.
2
1
1
No, because that's not how SPF works. SPF does not require alignment with the FROM header. A hard fail SPF record permitting only your mail server is NOT incompatible with sending mail via a relay or list. SPF will pass based on MAIL FROM, which is why it doesn't stop spoofing.
1
1
1
Similarly, DKIM doesn't stop spoofing, because it doesn't have a way to mandate having an aligned DKIM signature. A spoofed email can have a valid DKIM signature that's not aligned, or no signature at all, and that's valid. DMARC requires that SPF or DKIM is valid AND aligned.
1
1
1
DMARC doesn't have a way to require that both SPF and DKIM are valid and aligned. It passes when either is valid or aligned. DKIM is the more important option because it's compatible with passing mail through other servers including mailing lists as long as they don't tamper.
1
1
1
You're overestimating the capability of SPF alone. If you set up a hard fail SPF policy permitting only your mail server without DMARC set up, someone can send a spoofed mail using your domain in the FROM address. They just have to use a valid MAIL FROM address (relay) to pass.
1
1
1
It's DMARC that makes SPF and DKIM into technologies that actually work for preventing spoofing. However, it only enforces that one of them is valid and aligned. Turning on the strict modes for both doesn't change that. DMARC would still work fine if it only knew how to use DKIM.
1
1
2
The only purpose of SPF in the original form is preventing spoofing of the final hop for the email. It fully permits arbitrary relaying/forwarding. It didn't stop sending a fake email from someone. It just stopped masquerading as a mail server. DMARC turned it into anti-spoofing.