The short answer is yes, you can technically publish a DMARC record in your DNS without having either SPF or DKIM set up. However, doing so makes the DMARC policy completely ineffective. It’s like having a lock but no key; the mechanism is there, but it can’t perform its function.
DMARC is designed to work on top of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). It needs the results from at least one of these authentication checks to make a decision. Without SPF or DKIM, DMARC has no information to act upon. As eSecurity Planet notes, while you can define the record, it won't be able to do anything.
To understand why, it helps to quickly recap what each protocol does:
- SPF allows you to specify which IP addresses are authorized to send email on behalf of your domain.
- DKIM adds a digital signature to your emails, which receiving servers can verify to ensure the message hasn't been tampered with.
- DMARC tells receiving mail servers what to do with emails that fail SPF and/or DKIM checks (e.g., quarantine them or reject them outright).
DMARC needs a 'pass' or 'fail' signal from SPF or DKIM to function. If neither exists, there's no signal, and DMARC does nothing.
What about DMARC with just one of them?
This is where things get more nuanced. You can absolutely implement DMARC with only one of the two underlying protocols in place, but it's not the ideal setup. DMARC requires what's called 'identifier alignment', which means the domain in the "From" address must match the domain in the passing SPF or DKIM record.
Using DMARC with SPF only
If you have SPF set up but not DKIM, your DMARC policy will work as long as the SPF check passes and aligns. However, a significant weakness of SPF is that it can break when an email is forwarded. When an email goes through a forwarding service, the IP address changes, which can cause a previously valid SPF check to fail. This means legitimate, forwarded emails might be incorrectly rejected or sent to spam because of your DMARC policy. The folks at Easy365Manager point out that you can use DMARC this way to evaluate your SPF record, but it highlights the fragility of relying on SPF alone.
Using DMARC with DKIM only
This configuration is generally more robust than relying on SPF alone. Because the DKIM signature is part of the email header, it survives the forwarding process. As long as the email content and signed headers aren't altered, the DKIM signature will remain valid. Therefore, a DMARC policy based solely on DKIM is less likely to block legitimate, forwarded mail. According to GoDMARC, "Setting up DMARC without SPF requires proper DKIM configuration," confirming it's a viable path.
The best practice: always use both
While you can get by with one, the gold standard for email authentication is to have SPF, DKIM, and DMARC all working together. Having both SPF and DKIM provides redundancy. If one check fails (like SPF during forwarding), the other (DKIM) can still pass, ensuring your legitimate emails are delivered.
More importantly, major mailbox providers like Google and Yahoo have made this a requirement. As of early 2024, they require all senders to have both SPF and DKIM authentication. Higher Logic explains that these new sender rules mandate SPF and DKIM, and bulk senders (over 5,000 emails per day) must also have a DMARC policy.
In conclusion, while it's technically possible to publish a DMARC record without SPF or DKIM, it serves no purpose. For DMARC to be effective, you need at least one of them, but the modern standard, and a requirement from major providers, is to have both. Always set up SPF and DKIM first before layering a DMARC policy on top to protect your domain and ensure your emails get delivered.
