Configuring DMARC without DKIM
DMARC Assessment Algorithm
The DMARC assessment algorithm is a boolean value that takes into account the authentication results from SPF and DKIM. After which it determines whether or not to accept an email message as legitimate.
The result is dependent on two possible outcomes:
1. Pass: The email either passes both SPF and DKIM authentication OR just one of these. So it is considered to be clean. And is therefore accepted by the receiving server.
To put the “pass” authentication algorithm into simple equations:
| DMARC authentication pass = SPF record with a valid SPF identifier alignment + DKIM record with a valid DKIM identifier alignment |
OR (when DKIM is missing)
| DMARC authentication pass = SPF record with a valid SPF identifier alignment |
OR (when SPF is missing)
| DMARC authentication pass = DKIM record with a valid DKIM identifier alignment |
2. Fail: The message failed both SPF and DKIM authentication checks, indicating that it is either malformed or contains malicious content.
Can I Set Up DMARC without DKIM?
DMARC passes in the three following scenarios:
- both valid SPF and DKIM are there
- valid SPF without DKIM is there
- valid DKIM without SPF is there
So yes, you can set up DMARC without DKIM.
DMARC is built upon SPF and DKIM for authentication purposes, but they are orthogonal technologies.
In a general sense, SPF is a “path authorization” mechanism, which means it permits an IP to send messages on behalf of a given domain. DKIM, on the other hand, is a “content integrity” mechanism, which means it ensures that what you send doesn’t change when it reaches the server.
This means that they do not rely on each other for their effectiveness; they can be used in parallel or even independently of each other.
However, it is recommended that you use both SPF and DKIM together with DMARC as they work together to provide more robust DMARC authentication capabilities. DMARC without DKIM, though possible, is not a recommended practice.
How Do Email Clients Treat Emails without DKIM?
Most email clients treat emails that do not have DKIM as spam.
In some cases, this can result in the message being flagged by the receiver’s email server and marked as spam.
Some email service providers may also show your messages to recipients as originating from a different domain than what you intended.
For example, in Outlook and Gmail, your email without DKIM will display in the recipient’s inbox with the correct FROM address but being “sent by” or “via” someone else.
This can be confusing for recipients and may even lead them to believe that someone else sent them the message instead of you.
Example #1 (Outlook)
Fig.1 Without DKIM: Outlook shows the “sent by” address in the recipient’s inbox.
Fig.2 With DKIM: Outlook shows the FROM address only.
Example #2 (Gmail)
Fig.3 Without DKIM: Gmail shows “via” address in the recipient’s inbox.
Fig.4 With DKIM: Gmail shows the FROM address only.
If DKIM is present in your email, though, the above-mentioned problems aren’t likely to happen. The sending server is no longer shown on the client’s screen, so there’s less chance of going into spam or junk folders. And the only information they have is the FROM address—which means high trust factors for sending companies who are looking for customers through email marketing strategies.
Consequences of Setting Up DMARC with and DMARC without DKIM
Setting up DMARC with DKIM can help prevent your email messages from being flagged by spam filters and blocked.
However, setting up DMARC without DKIM can result in an increase in false positives as well as delays when a recipient tries to verify the sender’s email address.
In this section, we’ll look at some of the possible consequences of setting up DMARC with and DMARC without DKIM.
1. When Verifying Email Trust
With the SPF-based approach only, the DMARC protection would be limited to the invisible “envelope sender” addresses (MAIL FROM or Return-path). These are used for receiving bounces (Non-Delivery Reports) from senders.
However, when DKIM is combined with SPF, the DMARC protection is enabled for the “header From:” address as well as those addresses which are visible to recipients. Thereby, providing more sense of email trust than using DMARC with SPF alone.
2. When Forwarding Emails
SPF authentication works by sending an email that contains your SPF record (the IP address of the server you want to send emails from) to another server. The other server then authenticates whether or not this IP address is registered with them and returns with their own SPF record—if they don’t have one, they reject the request.
Now in the case of email forwarding, the SPF authentication can fail because there are no guarantees that the intermediate server’s IP address is on the SPF list for the sending domain. As a result of this, a legitimate email without a DKIM signature will fail the DMARC authentication, resulting in a false negative.
If DKIM had been configured on this domain, the false negative would not have occurred.
But why?
The DKIM signature (d=) is attached to the email body itself, whereas SPF is attached to the ‘Return-Path’ header.
In the case of email forwarding, the body of the email is not touched or modified, therefore the DKIM signature (d=) contained within the email body stays intact. It means the identity of the sender can be verified with the public key and private key pair included in the email body and DMARC authentication is passed.
SPF, on the other hand, is attached to the ‘Return-Path’ header, which changes in the case of email forwarding. So its validity is not verified, resulting in a false negative.
To conclude, SPF authentication fails due to email forwarding, but DKIM survives email forwarding because it is attached to the email body. Therefore, it is important to set up DMARC with DKIM as well.
3. When Updating IP Address
When you send an email, the receiving server checks the email’s header to see if it has been tampered with. If it has, then the receiving server rejects your message and sends you a notification.
This is where SPF comes in. SPF checks that your IP address is listed as a valid one on the sending server’s SPF record (in other words, that there are no spoofed IP addresses).
If your IP address changes, then your SPF record needs to be updated with the new address. The time that this takes depends on how often you change your IP address—in most cases, it takes up to 48 hours for the new SPF record to go into effect.
So what will happen if your email provider adds a new IP to their range? In this case, your email delivery may be delayed because of the propagation time of the SPF record update.
However, once you have both DKIM and SPF configured, you can get around this problem by using DKIM’s cryptographic signature to prove that the mail server at sender@yourdomain.com was authorized to send it.
This means that even if their IP range changes, DKIM will still be able to verify that emails coming from certain domains are authentic and legitimate.
Using DMARC without DKIM: The Possible OK/FAIL Scenarios
When you use the DKIM and SPF mechanisms, you’re effectively using two different tools to achieve the same goal: preventing spoofing.
They both work independently, but they can fail independently as well. For instance, SPF can fail independently of DKIM, and DKIM can fail independently of SPF.
Here are the four possible OK/FAIL scenarios of setting up DMARC without or without DKIM:
| Scenario | Meaning | Email Delivery Status |
| SPF ok, DKIM ok | It ensures that emails are sent from a legitimate source. The server is authorized to send mail because it has a valid SPF record and a valid DKIM signature. | Delivered in inbox |
| SPF ok, DKIM fails | It means that the mail is delivered by an authorized server, but the validation of its DKIM signature fails. | Delivered in spam or junk folder |
| SPF fails, DKIM ok | It means the mail’s DKIM signature is valid, but the sending server does not have the authorization to deliver the mail. | Delivered in spam or junk folder |
| SPF fails, DKIM fails | If both SPF and DKIM fail, then an email is considered to be spoofed and will be rejected by any recipient’s DMARC-enabled mail server. | Not Delivered / Rejected |
Standard Email Protocols: SMTP, POP3 & IMAP Free4 m- What is Email Security? Free4 m
- Email Security Practices Free4 m
- Building an Email Security Compliance Model Free5 m
- Corporate Email Security Checklist Free3 m 30 s
- What is the difference between Inbound email security and outbound email security? Free4 m
- What is Information Security? Free4 m
- Zero Trust Security Model Free3 m
- What is SPF Alignment? Free3 m
- How to Set Up Microsoft Office 365 SPF record? Free4 m
- How to Set Up Google Workspace SPF Record? Free2 m
- How to Set Up MailChimp SPF Record? Free3 m
- How to Set Up SendGrid SPF Record? Free2 m
- How to Set Up Salesforce SPF Record? Free3 m
- How to Setup Zoho Mail SPF Record? Free2 m
- What is DMARC Compliance? Free2 m
- The Benefits of DMARC Free2 m
- DMARC Configuring Free3 m
- Achieving DMARC Enforcement Free2 m
- DMARC Vs Antispam Solutions Free2 m
- DMARC Identifier Alignment Free2 m
- DMARC sp Tag Exceptions & Uses Free1 m
- Configuring DMARC without DKIM Free3 m
- Configuring DMARC without SPF Free2 m
- DMARC Aggregate Report Views Free3 m
Video - PowerDMARC Aggregate Reports Free2 m 13 s- DMARC Forensic Report Views Free2 m
- Video - PowerDMARC Forensic Reports Free
- DMARC Forensic PGP Encryption and Decryption Free2 m
- TLS Report Views Free3 m
- Video - PowerDMARC TLS Reports Free
- PDF/CSV Reports Free2 m
- Video - PowerDMARC PDF/CSV Reports Free1 m 1 s