DKIM + DMARC is a lot more flexible because mails can be forwarded as usual, and it remains valid as long as there's no tampering with the email. A mailing list can still prepend List-Unsubscribe and other headers that aren't oversigned. DMARC with SPF only works directly.
Conversation
If I configure DKIM and DMARC, I should _not_ have SPF records? Various (unauthoritative) sources had me convinced that I needed SPF as well.
I ran mailing lists for many years without problems (and without DMARC, DKIM, and SPF), but last year that became unworkable.
2
DMARC verification will pass with DMARC and DKIM set up properly. A DMARC policy with p=reject is fully compatible with mailing lists as long as they don't tamper with emails. Mailing list software should leave emails alone. They shouldn't tamper with signed headers / content.
2
1
1
Not if there is also an SPF record that rejects the mailing lists MTA and a DMARC policy that wants both SPF and DKIM to pass.
2
1
1
You can't require both DKIM and SPF to pass via DMARC, only that at least one is valid. It boils down to a policy decision by the receiving server. Gmail will tolerate an SPF hard fail if there's a valid aligned DKIM signature.
1
1
2
Ha, Verizon and their managed domains demands both SPF _and_ DKIM to validate and rejects email in the absence of DKIM - that's how they interpret DMARC and I've had no luck in explaining that's wrong.
2
1
1
Do they require that both are aligned, so you can't get email from a mailing list?
It does make sense to validate both SPF and DKIM per their weak rules and then follow it up with DMARC enforcement. That way, one of them can be missing or unaligned, but a failure is rejected.
1
1
1
Correct, but not only, if you publish SPF records but not DKIM they fail delivery to their acquired domains (ameritech, yahoo, etc.) because they forward between mail serversβ¦
2
1
I wonder if this is why Gmail still doesn't have an enforced DMARC policy...
1
Soft vs. hard fail SPF doesn't impact (standard) DMARC enforcement though. DMARC only considers pass vs. not pass and alignment meaningful. If Gmail switched to p=reject, it would stop spoofing.