Does DMARC require both SPF and DKIM to pass?

It’s a common point of confusion, but the direct answer is no. For a message to pass DMARC, it does not require both SPF and DKIM to pass. It only needs one of them to pass and, crucially, to be 'aligned'.

This is a fundamental aspect of how the DMARC protocol is designed. It provides a layer of flexibility, because certain email sending scenarios can cause one of the authentication methods to fail while the other holds strong.

SendLayer says:

Visit website

It's not mandatory to use both SPF and DKM for DMARC, although it's highly recommended. When you're setting up DMARC, you'll need at least one of these protocols enabled for your domain.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

The key concept to grasp with DMARC isn’t just about an SPF or DKIM 'pass', but about 'identifier alignment'. This is the mechanism DMARC uses to verify that the sender is who they claim to be. Without alignment, a simple pass from SPF or DKIM is not enough for DMARC to be successful.

• SPF Alignment: The domain in the 'From' header of the email (what the recipient sees) must match the domain used in the email's 'Return-Path' or 'Mail From' address, which is checked by SPF.
• DKIM Alignment: The domain specified in the DKIM signature's 'd=' tag must match the domain in the email's 'From' header.

So, DMARC will pass if either the SPF check passes and is aligned, OR the DKIM check passes and is aligned. If both pass and are aligned, that's great, but it isn't a requirement. As noted in a post on AutoSPF, the alignment of these protocols is crucial for DMARC processing.

Even though DMARC only requires one of the two, I always strongly advise setting up both SPF and DKIM correctly. There are a few critical reasons for this.

Firstly, it provides redundancy. The most common issue is that email forwarding can break SPF. When an email is forwarded, the server that forwards it often becomes the new sending server in the chain. Since that server's IP address is likely not in your domain's SPF record, the SPF check will fail. In this very common scenario, a valid DKIM signature is the only thing that will allow the email to pass DMARC.

Skysnag says:

Visit website

DMARC requires either DKIM or SPF to be in place in order for it to be effective, so it is best to have both setups. That said, it is possible to use DMARC and SPF without DKIM, but it’s not ideal.

Secondly, major mailbox providers like Google and Yahoo have updated their sender requirements. These new rules are not just about having a DMARC policy in place; they explicitly require senders to have both SPF and DKIM configured.

Higher Logic says:

Visit website

Google and Yahoo's new sender requirements say that all senders must use SPF and DKIM authentication. Bulk senders (sending more than 5,000 messages a day to Google accounts) must also have a DMARC policy.

This means that while the DMARC standard itself is flexible, the practical reality of email deliverability in 2024 and beyond is that you need both. Failing to implement both can directly impact whether your emails land in the inbox at Gmail and Yahoo.

To summarize: technically, DMARC does not require both SPF and DKIM to pass. It requires a single aligned pass from either one.

However, for robust protection, resilience against email forwarding issues, and compliance with the mandatory requirements from the world's largest mailbox providers, you absolutely should implement both SPF and DKIM. Think of it less as a technical choice and more as a foundational requirement for modern email sending.