Summary
Microsoft's DMARC requirements align with the broader DMARC specification: an email needs only one of SPF or DKIM to successfully authenticate and align with the sender's 'From:' domain to pass DMARC. This means that both SPF and DKIM alignment are not simultaneously required. DKIM alignment alone is sufficient for a DMARC pass, a particularly important detail when sending via Email Service Providers where SPF alignment may not always occur.
Key findings
- Single Alignment Requirement: Microsoft DMARC requirements, consistent with the general DMARC specification, stipulate that only one of SPF or DKIM needs to authenticate and align with the 'From:' address for an email to pass DMARC validation.
- DKIM Sufficiency: DKIM alignment alone is sufficient for an email to achieve a DMARC pass within Microsoft environments, even if SPF alignment is not met.
- Common ESP Behavior: It is common and acceptable for emails sent via an Email Service Provider to not have SPF alignment, reinforcing the importance of DKIM alignment for DMARC success.
- No Dual Requirement: Microsoft 365 DMARC validation does not strictly require both SPF and DKIM alignment simultaneously; a successful alignment from either method is enough.
Key considerations
- Flexibility in Authentication: The requirement that only one of SPF or DKIM needs to align offers flexibility for senders, particularly those utilizing third-party Email Service Providers.
- Forwarding Environments: DKIM alignment is especially crucial in email forwarding scenarios, as SPF can often break in these situations, making DKIM the primary mechanism for DMARC validation.
- Impact of Non-Alignment: If neither SPF nor DKIM achieves alignment, the email will fail DMARC validation, leading to potential rejection or quarantine based on the domain's DMARC policy.
- SPF vs. DKIM Priority: While SPF alignment is generally preferred for direct sends, DKIM alignment is equally effective and often more reliable, particularly when sending through ESPs where SPF alignment might not always be achievable.
What email marketers say
13 marketer opinions
For an email to pass DMARC validation, including within Microsoft environments, only one of the two primary authentication methods-SPF or DKIM-must successfully align with the sender's 'From:' domain. This fundamental principle of DMARC offers senders crucial flexibility, meaning that simultaneous alignment of both SPF and DKIM is not a prerequisite for successful delivery and authentication.
Key opinions
- One Method Sufficient: DMARC, as implemented by Microsoft and other email providers, requires only one authentication method-either SPF or DKIM-to achieve alignment with the 'From:' header domain for a successful pass.
- DKIM's Independent Role: DKIM alignment alone is sufficient to satisfy DMARC requirements, ensuring a pass even if SPF alignment is not present or breaks due to forwarding.
- Consistent Industry Standard: Microsoft's DMARC validation process adheres to the universal DMARC specification, confirming that its requirements are not stricter or different from general DMARC protocols.
- No Dual-Alignment Rule: There is no mandate for both SPF and DKIM to align simultaneously; successful alignment of either mechanism is adequate for DMARC validation.
Key considerations
- Enhanced Sender Flexibility: The 'either-or' DMARC rule provides senders, particularly those using Email Service Providers, with greater flexibility in ensuring deliverability without needing to manage perfect alignment for both SPF and DKIM.
- Importance for ESP Usage: When sending email via an Email Service Provider, SPF alignment may not always occur, making DKIM alignment a particularly vital component for consistent DMARC compliance and deliverability.
- Robustness in Forwarding: DKIM's ability to remain intact through email forwarding makes it a more reliable mechanism for maintaining DMARC pass status in scenarios where SPF alignment might fail.
- Strategic Authentication Planning: Marketers should prioritize setting up robust DKIM, especially when SPF alignment is out of their direct control, to ensure consistent DMARC passes for their email campaigns.
Marketer view
Marketer from Email Geeks explains that only one of SPF or DKIM needs to authenticate and align for a DMARC pass, and if DKIM is aligned, it results in a DMARC pass.
22 Dec 2021 - Email Geeks
Marketer view
Marketer from Email Geeks explains that DKIM alignment is sufficient for DMARC, and while SPF alignment is preferred, it is not as critical.
5 Aug 2023 - Email Geeks
What the experts say
2 expert opinions
Microsoft's DMARC validation process confirms that emails need successful alignment with either SPF or DKIM to pass. It is not mandatory for both protocols to align concurrently; however, if neither SPF nor DKIM aligns, the email faces potential rejection or quarantine, dictated by the domain's DMARC policy.
Key opinions
- Either-Or Alignment: Microsoft's DMARC validation process requires only one of SPF or DKIM to align with the 'From:' domain for a successful DMARC pass, consistent with the general DMARC standard.
- Consequences of Dual Failure: If both SPF and DKIM fail to achieve alignment, an email will be subject to the domain's DMARC policy-based actions, such as rejection or quarantine.
- Standard Protocol Adherence: Microsoft's DMARC checks align with broader industry specifications, confirming that a single successful authentication and alignment method is sufficient.
Key considerations
- Simplified Compliance: Senders benefit from the flexibility of needing only one authentication method to align, simplifying DMARC compliance efforts for email deliverability.
- Crucial for Deliverability: Ensuring at least one authentication method, whether SPF or DKIM, properly aligns is vital to prevent emails from being blocked or filtered by Microsoft systems.
- Policy Enforcement: Understand that your domain's DMARC policy, whether 'quarantine' or 'reject,' will be enforced by Microsoft if both SPF and DKIM alignment checks fail.
Expert view
Expert from Spam Resource explains that for Microsoft's DMARC checks, a message needs to have either SPF alignment or DKIM alignment, but not necessarily both, to pass.
17 Aug 2024 - Spam Resource
Expert view
Expert from Word to the Wise shares that for Microsoft's DMARC check, a message needs to achieve either SPF alignment or DKIM alignment, as failing both results in rejection or quarantine based on the DMARC policy.
25 Dec 2021 - Word to the Wise
What the documentation says
3 technical articles
Microsoft's DMARC validation for incoming emails follows the established DMARC specification, requiring successful alignment from either SPF or DKIM with the sender's 'From:' domain. This means that an email does not need to pass both SPF and DKIM alignment simultaneously to achieve a DMARC pass within Microsoft 365 environments. One correctly configured and aligned authentication method is sufficient.
Key findings
- Microsoft's DMARC Standard: Microsoft 365's DMARC implementation aligns with the general DMARC standard, validating an email if either SPF or DKIM achieves authentication and alignment.
- No Dual Alignment Mandate: While both SPF and DKIM are checked, Microsoft's DMARC validation does not strictly mandate that both protocols align with the 'From:' address; successful alignment of just one is enough.
- Source Confirmation: Documentation from learn.microsoft.com confirms these requirements, clarifying that the 'either/or' rule applies for DMARC pass status.
Key considerations
- Prioritize At Least One: Email senders should ensure at least one of SPF or DKIM is correctly configured and aligns with their 'From:' domain to ensure DMARC compliance with Microsoft systems.
- Strategic Deployment: Understanding that only one alignment is necessary allows for strategic deployment of authentication, particularly when using Email Service Providers where SPF alignment might be more challenging to maintain.
- Comprehensive Coverage: While not both are required for a DMARC pass, implementing both SPF and DKIM provides redundant protection and can enhance overall email deliverability and sender reputation.
Technical article
Documentation from learn.microsoft.com explains that DMARC in Microsoft 365 requires either SPF or DKIM authentication to pass and align with the From: address, meaning both are not strictly necessary, but one must align.
18 Jun 2023 - learn.microsoft.com
Technical article
Documentation from learn.microsoft.com details that DMARC authentication in Microsoft 365 involves checking both SPF and DKIM, but only one of these, at minimum, needs to pass authentication and align with the From: address for DMARC to pass.
6 May 2025 - learn.microsoft.com
Do SPF and DKIM records need to be aligned for all email service providers?
How do I align SPF and DKIM in Salesforce Service Cloud, and is it necessary if DKIM is already aligned?
Is DKIM domain alignment required for Google and Yahoo's new email sending requirements?
Is DMARC reject policy mandatory for From and Return-Path alignment?
Is DMARC required for mail sending domains?
What are Mail.ru's DMARC, SPF, and DKIM alignment requirements?
