You don't need to set up both; if one or the other passes, it will pass DMARC. If SPF fails or doesn't exist, AND DKIM fails or doesn't exist, then DMARC will fail and will take the action in the p=<policy> published in the DMARC record (unless the receiver overrides it with a local rule).
However, in my experience, if you publish p=quarantine or p=reject, you probably should have both SPF and DKIM set up. The reason is that a lot of mail is forwarded. While it may pass SPF/DKIM/DMARC at the original recipient, it will fail SPF at the forwarded-to recipient. This would fail DMARC unless you also had DKIM. So, you can get away with only SPF or only DKIM with p=none, but going to p=reject/quarantine you should probably have both SPF and DKIM (unless you determine that the forwarded mail problem isn't much volume). -- Terry -----Original Message----- From: dmarc-discuss [mailto:dmarc-discuss-boun...@dmarc.org] On Behalf Of Carlos P via dmarc-discuss Sent: Wednesday, August 12, 2015 10:47 AM To: dmarc-discuss@dmarc.org Subject: [dmarc-discuss] [Newbie warning] Both spf and dkim? Hello, I am new to DMARC and have a question: It is necesary to setup both SPF and DKIM in order to "quarantine" or "reject". I can not tell that from the RFC[1] neither searching this list, but there are some other places [2][3] that say so. Is not finding a DKIM or SPF record considered a failure by itself when p!=none? If so, I would like to know the rationale behind. Is it to make it a little more resilient to "small" and trascient mistakes? Thank you [1] http://tools.ietf.org/html/rfc7489 "2. Receivers compare the RFC5322.From address in the mail to the SPF and DKIM results, if present, and the DMARC policy in DNS." later "Identifier Alignment: When the domain in the RFC5322.From address matches a domain validated by SPF or DKIM (or both), it has Identifier Alignment" [2] https://support.google.com/a/answer/2466563 "Important: Before creating a DMARC record for your Google Apps domain, you must first set up DKIM authentication. If you fail to set up DKIM first, email from services such as Google Calendar will fail mail authentication and will not be delivered to users." [3] http://blog.endpoint.com/2014/04/spf-dkim-and-dmarc-brief-explanation.html "DMARC can (and will) break your mail flow if you don't set up both SPF and DKIM before changing DMARC policy to anything above 'none'." -- Carlos Pantelides @dev4sec seguridad-agile.blogspot.com _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
