On Wed 20/May/2020 07:31:35 +0200 Roshan Hiripitiyage via dmarc-discuss wrote:
> Can we enable DMARC just by enabling only SPF?, without DKIM? If it's possible
> what are the issues we will come across without DKIM?

While it is possible, SPF only won't cover forwarding.  Mail that you send to
u...@example.com which is (silently) redirected to u...@example.net will fail
SPF verification in the majority of cases.  Where it succeeds, that's because
the forwarder changed the MAIL FROM (a.k.a. Return-Path:).  That way, SPF can
pass but DMARC alignment does not.

For that reason, if you implement DMARC with SPF only, you should keep p=none,
or/and pct=0, in order for your mail to be delivered correctly.  p=none is the
suggested starting value anyway, so that you can estimate how you're doing
based on aggregate reports.

On the other hand, implementing DMARC also implies to send in turn aggregate
reports yourself.  If you cannot verify DKIM signatures, you can set
DKIMAuthResultType to "none" to indicate that no message authentication was
performed, or omit the <dkim> element altogether.  That way, you let your
correspondents know that you're not verifying their DKIM signatures.

Anyway, be very cautious about rejecting or quarantining incoming mail based on
SPF only.  Whitelist extensively.

If you don't mind my asking, what is the difficulty in enabling DKIM?


dmarc-discuss mailing list

NOTE: Participating in this list means you agree to the DMARC Note Well terms 

Reply via email to