Summary
XS4ALL employs a unique DMARC enforcement strategy where they prioritize DKIM signatures. If an email lacks DKIM, even with an SPF-backed DMARC policy set to 'reject' or 'quarantine,' XS4ALL might treat it as 'p=none,' effectively ignoring the sender's requested policy. This approach aims to balance security with deliverability, preventing legitimate forwarded emails from being incorrectly rejected due to SPF limitations. Experts and documentation emphasize the importance of using both SPF and DKIM for DMARC, highlighting DKIM's robustness during email forwarding. XS4ALL's public stance is seen as a positive step towards promoting transparency and encouraging proper email authentication practices. This also encourages senders to ensure DKIM is properly configured or risk deliverability issues and potential negative impacts on domain reputation.
Key findings
- DKIM Prioritization: XS4ALL prioritizes DKIM signatures for DMARC enforcement.
- Policy Modification: They might treat DMARC 'reject' or 'quarantine' policies as 'none' if DKIM is missing.
- SPF Limitations: Relying solely on SPF for DMARC at XS4ALL is insufficient due to forwarding issues.
- Deliverability Balance: Their approach balances email security with maintaining email deliverability.
- Transparency Benefit: Publicly stating this policy is considered a positive step.
- Domain Reputation Impact: Lacking DKIM can negatively impact domain reputation.
Key considerations
- Implement DKIM: Ensure DKIM is properly configured to avoid potential DMARC enforcement issues with XS4ALL.
- SPF/DKIM Setup: Setup both SPF and DKIM correctly as a prerequisite for DMARC.
- Test Authentication: Thoroughly test SPF and DKIM records before implementing a DMARC policy.
- Forwarding Concerns: Consider the impact of email forwarding when implementing SPF-only policies.
- Monitor Reputation: Monitor your domain reputation to ensure no negative impact.
What email marketers say
9 marketer opinions
XS4ALL prioritizes DKIM signatures in their DMARC enforcement. If an email lacks DKIM, they may treat a reject policy as 'none,' particularly when relying solely on SPF. This approach aims to balance security and deliverability, preventing legitimate forwarded emails from being incorrectly rejected due to SPF failures. By favoring DKIM, XS4ALL encourages senders to implement more robust authentication methods, benefitting the overall email ecosystem and making the internet safer.
Key opinions
- DKIM Priority: XS4ALL prioritizes DKIM signatures over SPF alone for DMARC enforcement.
- Policy Override: They might treat DMARC 'reject' policies as 'none' if DKIM is missing to avoid rejecting forwarded emails.
- Balance Security: XS4ALL's strategy balances email security with ensuring deliverability.
- Forwarding Issues: Relying solely on SPF is risky due to forwarding compatibility issues, which XS4ALL mitigates.
- Ecosystem Benefit: Encouraging DKIM implementation improves the overall email security ecosystem.
Key considerations
- Implement DKIM: Senders should implement DKIM to ensure their emails are properly authenticated with XS4ALL.
- SPF Alone is Insufficient: Relying on SPF alone might not be sufficient for DMARC compliance with XS4ALL, potentially leading to deliverability issues.
- Monitor Reputation: Pay attention to domain reputation, as lack of DKIM could negatively impact it.
- Test Configuration: Test your DMARC, SPF and DKIM records to ensure they are valid and working correctly.
Marketer view
Email marketer from Reddit explains that some providers, like XS4ALL, might treat DMARC policies with p=reject as p=none if DKIM is not implemented. This is because relying solely on SPF can lead to false positives with forwarding.
13 May 2025 - Reddit
Marketer view
Email marketer from Mailhardener Blog explains that while not explicitly stated, XS4ALL likely prioritizes DKIM because it survives forwarding, and SPF often breaks upon forwarding. It's a common practice for receivers to be more lenient when DKIM is present.
13 Jul 2022 - Mailhardener Blog
What the experts say
4 expert opinions
XS4ALL employs a specific DMARC enforcement strategy where they won't reject emails for DMARC failure if DKIM signatures are absent, even if SPF is in place with a reject policy. They treat such emails as 'p=none,' effectively ignoring the reject instruction. Experts highlight the importance of publishing DMARC records and recommend configuring DKIM alongside SPF due to DKIM's resilience during email forwarding, unlike SPF. Publicly disclosing this approach is seen as a positive step by XS4ALL, promoting transparency and encouraging senders to implement proper email authentication practices.
Key opinions
- DKIM Requirement: XS4ALL does not strictly enforce DMARC reject/quarantine policies when DKIM is missing.
- SPF Inadequacy: Relying solely on SPF for DMARC is insufficient at XS4ALL.
- Transparency: XS4ALL's public declaration of their DMARC handling is a welcome practice.
- Forwarding Considerations: DKIM is preferred due to its ability to survive email forwarding.
Key considerations
- Implement DKIM: Ensure DKIM is properly configured when sending emails to XS4ALL recipients.
- DMARC Record: Publish a DMARC record regardless of reliance on SPF, preferrably alongside DKIM.
- Testing: Thoroughly test DKIM records before implementation.
Expert view
Expert from Email Geeks responds that it’s mostly nice that they’re publicly saying “hey, y’all, we’re doing the smart thing” rather than silently doing the smart thing.
20 Nov 2023 - Email Geeks
Expert view
Expert from Email Geeks explains that DMARC enforcement at XS4ALL is interesting because they will not reject for DMARC failure if there is no DKIM signature. If you’re relying on SPF for DMARC and you have a quarantine or reject policy, they ignore any policy statements and treat it as p=none. (based on a statement from them on mailop)
20 Oct 2022 - Email Geeks
What the documentation says
5 technical articles
Documentation indicates that XS4ALL strongly encourages the use of DMARC with both SPF and DKIM for email spoofing protection. DMARC.org highlights DKIM as a robust authentication method that persists through email forwarding, addressing SPF's forwarding limitations. The DMARC standard (RFC 7489) allows receivers flexibility in policy enforcement, aligning with XS4ALL's practices. Major platforms like Google Workspace and Microsoft emphasize that both SPF and DKIM are essential for DMARC's effective function, providing comprehensive email security.
Key findings
- Encouraged DMARC: XS4ALL encourages DMARC use for email spoofing protection.
- SPF & DKIM: Setting up both SPF and DKIM is advised as a prerequisite for DMARC.
- DKIM Robustness: DKIM persists through forwarding, unlike SPF.
- Policy Flexibility: DMARC standards allow receivers to ignore sender policies.
- Essential Protocols: SPF and DKIM are essential for DMARC's effective function.
Key considerations
- Implement Both: Implement both SPF and DKIM for robust DMARC protection.
- Address Forwarding: Understand SPF's limitations with email forwarding and leverage DKIM.
- Receiver Flexibility: Be aware that receivers may not always strictly enforce DMARC policies.
- Comprehensive Security: Employ both SPF and DKIM for comprehensive email security.
Technical article
Documentation from RFC 7489, the official DMARC standard, specifies that receivers can choose to ignore the sender's DMARC policy under certain circumstances. XS4ALL's behavior aligns with this flexibility allowed in the standard.
2 Apr 2024 - RFC Editor
Technical article
Documentation from DMARC.org highlights that DMARC relies on SPF and DKIM. While SPF can have issues with forwarding, DKIM provides a robust authentication method that persists even when an email is forwarded, making it a crucial component of a DMARC setup.
3 Apr 2023 - DMARC.org
Does DMARC improve email deliverability and should ESPs push senders to set it up?
How do ActiveCampaign and other ESPs handle DMARC records during custom return-path setup, and what are the potential issues?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do SPF, DKIM, and DMARC affect email deliverability with Cvent?
How do SPF, DKIM, and DMARC email authentication standards work?
What are SPF, DKIM, and DMARC, and when are they needed?
