Is it true that DMARC only requires one of SPF or DKIM to align?

For an email to pass DMARC, only one of the two authentication methods (SPF or DKIM) needs to successfully pass its authentication check and achieve alignment with the 'From' header domain. Having both align is a best practice, but not a mandatory requirement for a DMARC pass.

What happens if SPF alignment cannot be achieved because of an ESP?

When sending emails via a third-party email service provider (ESP), SPF alignment (where the Return-Path domain matches the 'From' domain) may not always be possible or practical. In these cases, a properly configured and aligned DKIM signature is crucial to ensure your emails still pass DMARC and avoid deliverability issues.

Who do Microsoft's new DMARC requirements apply to?

Microsoft's new requirements apply to high-volume senders, defined as those sending more than 5,000 emails per day to Microsoft consumer services. These senders must have SPF, DKIM, and DMARC configured and ensure DMARC alignment through at least one of SPF or DKIM.

What happens if my emails do not meet Microsoft's DMARC alignment requirements?

If your emails fail DMARC authentication, they may be subjected to the policy defined in your DMARC record ( p=none, p=quarantine , or p=reject ). This can lead to emails being sent to spam, quarantined, or outright rejected, negatively impacting your deliverability and sender reputation.

How can I check if my emails are correctly aligning with DMARC for Microsoft?

You should regularly check your DMARC aggregate and forensic reports. These reports provide valuable insights into your email authentication status, including which emails are passing or failing SPF and DKIM, and whether alignment is being achieved. Monitoring these reports helps you identify and fix authentication issues promptly.

Do Microsoft DMARC requirements need both SPF and DKIM alignment? - Technical - Email deliverability - Knowledge base

The world of email deliverability can sometimes feel like a maze, especially with evolving requirements from major mailbox providers. Microsoft, for instance, recently updated its sender guidelines, sparking questions about DMARC, SPF, and DKIM. One common point of confusion is whether Microsoft demands both SPF and DKIM alignment for DMARC to pass. It's a crucial detail that can significantly impact your email campaigns.

Before diving into Microsoft's specific requirements, it's essential to understand how these authentication protocols work together. DMARC leverages both SPF and DKIM to verify sender identity. A DMARC record tells receiving servers what to do with emails that fail authentication and provides reporting on email streams. The key to DMARC's success lies in identifier alignment, meaning the domain used in your email's 'From' header must match the domain validated by SPF or DKIM.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding DMARC alignment

DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is designed to protect your domain from unauthorized use. For an email to pass DMARC, it needs to satisfy at least one of two conditions: SPF alignment or DKIM alignment. It's not a requirement that both must align simultaneously, although having both provides stronger protection and redundancy.

SPF (Sender Policy Framework) alignment checks if the domain in the Return-Path (or Mail From) header aligns with the 'From' header domain. This alignment can be either strict or relaxed. Relaxed alignment allows a subdomain of the 'From' header domain to pass, while strict alignment demands an exact match. DKIM (DomainKeys Identified Mail) alignment, on the other hand, checks if the domain specified in the d= tag within the DKIM signature aligns with the 'From' header domain.

The flexibility of DMARC means that if one of these alignment checks passes, the email satisfies the DMARC protocol. For example, if SPF fails to align but DKIM alignment is successful, the email can still pass DMARC. This is a critical point, especially when using third-party email service providers (ESPs) that often send emails with unaligned SPF.

Microsoft's stance on SPF and DKIM alignment

Microsoft's recent announcements, particularly for high-volume senders, emphasize the importance of email authentication. Starting May 2025, senders sending more than 5,000 emails per day to

Microsoft consumer services will need to implement SPF, DKIM, and DMARC. The official guidance states that a DMARC record must be published with at least a p=none policy and ensure alignment with either SPF or DKIM, preferably both. This clarifies that while having both aligned is a strong recommendation, it's not a strict requirement for a DMARC pass.

Microsoft's specific DMARC requirements

For your emails to successfully pass DMARC with Microsoft, you need to ensure that your domain's DMARC record is correctly set up. While SPF and DKIM must both be configured and pass their respective authentication checks, only one of them needs to achieve alignment with your 'From' header domain for DMARC to be considered valid. This is often misunderstood, but it's a critical distinction for email deliverability. Non-compliance could lead to your emails being rejected or sent to recipients' spam folders.

Microsoft's guidance on DMARC validation steps confirms that a message fails DMARC only if *both* SPF or DKIM checks fail. This means that as long as at least one of them passes and aligns, your email should pass DMARC.

The focus for senders should be on ensuring at least one of these mechanisms consistently aligns. While SPF is often the first authentication method configured, DKIM often provides more resilience, especially in scenarios involving email forwarding. This is because DKIM signatures are less likely to be altered during transit compared to SPF, which can break due to modifications to the return-path by intermediate servers.

Why one alignment is often sufficient (and when both are better)

While only one alignment (SPF or DKIM) is required for a DMARC pass, aiming for both offers significant advantages. Having both SPF and DKIM correctly aligned provides a robust defense against spoofing and phishing, as it creates two independent verification paths for receiving mail servers. If one method experiences an issue, the other can still validate the email, ensuring deliverability.

Consider the scenario where you use an ESP for sending marketing emails. Often, ESPs will use their own domain in the Return-Path of your emails, which means SPF alignment with your 'From' header domain might not occur naturally. In such cases, a properly configured and aligned DKIM signature becomes essential for your emails to pass DMARC. This is a common setup and is perfectly acceptable under Microsoft's guidelines.

This article discusses the importance of SPF alignment. It highlights that while SPF alignment is beneficial, especially for direct sends, DKIM often serves as the primary alignment mechanism for emails sent via third-party services. The overarching goal is to ensure that at least one form of authentication aligns with your organizational domain, establishing trust with the recipient's server and avoiding the spam folder or outright rejection.

SPF alignment challenges

Return-Path modification: Often changed by email service providers (ESPs), making SPF alignment difficult.
Email forwarding: SPF checks can break when emails are forwarded, as the sending IP changes.

DKIM alignment strengths

Resilience to changes: DKIM signatures are embedded in the email header and generally survive forwarding and intermediate server changes.
Strong authentication: Verifies email content integrity and sender identity cryptographically.

Practical steps for DMARC implementation

To ensure your emails comply with Microsoft's requirements and achieve optimal deliverability, you should focus on properly configuring all three authentication protocols. This involves publishing accurate SPF, DKIM, and DMARC records in your DNS.

Example DMARC Recorddns

v=DMARC1; p=none; rua=mailto:dmarc_reports@yourdomain.com; ruf=mailto:dmarc_forensics@yourdomain.com; fo=1; adkim=r; aspf=r;

For SPF, ensure your record includes all legitimate sending sources for your domain to prevent false negatives. For DKIM, ensure that all domains used to sign your emails are correctly configured and that your public key is published in DNS. For DMARC, start with a p=none policy and use the reporting (RUA and RUF) tags to gather data on your email streams. This data is invaluable for understanding how your emails are being authenticated and identifying any potential issues.

After setting up your records, it's vital to monitor your DMARC reports. These reports provide insights into your email authentication status, showing which emails are passing or failing SPF and DKIM, and whether they are aligning. This data helps you troubleshoot any issues and move towards stricter DMARC policies like p=quarantine or p=reject over time. Regularly checking your DMARC reports from mailbox providers is key to maintaining good sender reputation.

Authentication Method	Requirement for Microsoft DMARC Pass	Notes
SPF (Sender Policy Framework)	Must be configured and pass authentication. SPF alignment with the 'From' domain can be sufficient.	Alignment (Return-Path to Header From) may not always occur with ESPs.
DKIM (DomainKeys Identified Mail)	Must be configured and pass authentication. DKIM alignment with the 'From' domain can be sufficient.	More resilient to forwarding issues than SPF.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)	A DMARC record (at least p=none) is mandatory. Requires either SPF OR DKIM alignment (preferably both).	Essential for high-volume senders from May 2025 onwards. Helps combat spoofing.

Views from the trenches

Best practices

Regularly monitor DMARC reports to identify authentication failures and improve deliverability.

Ensure your DKIM signatures are consistently applied and aligned for all sending domains.

Utilize SPF 'include' mechanisms correctly to cover all legitimate sending sources without exceeding lookup limits.

Gradually move your DMARC policy from 'none' to 'quarantine' and then 'reject' as you gain confidence in your authentication.

Common pitfalls

Assuming DMARC passes if SPF and DKIM just pass without alignment.

Not having SPF or DKIM configured for all sending domains.

Ignoring DMARC reports, missing critical insights into authentication issues.

Implementing strict SPF or DKIM alignment without proper testing, leading to legitimate emails failing.

Expert tips

For ESP-sent emails, DKIM alignment is often the most reliable path to DMARC pass.

Even if SPF alignment is not feasible due to your sending infrastructure, prioritize robust DKIM setup.

A 'p=none' policy on your DMARC record is a crucial first step for data collection, providing visibility into your email ecosystem.

Focus on domain reputation. Authentication helps build it, but consistent good sending practices are equally important.

Expert view

Expert from Email Geeks says DKIM alignment is sufficient for a DMARC pass.

2025-04-08 - Email Geeks

Expert view

Expert from Email Geeks says only one of the authentication methods, SPF or DKIM, needs to authenticate and align for a DMARC pass.

2025-04-08 - Email Geeks

Key takeaways on Microsoft's DMARC alignment

Microsoft's DMARC requirements, especially for high-volume senders, do not strictly demand both SPF and DKIM alignment. The critical takeaway is that for an email to pass DMARC, it must achieve alignment with either SPF or DKIM. While having both aligned is certainly beneficial and recommended for stronger email security and deliverability, it's not a hard prerequisite.

The focus should be on ensuring your domains are properly authenticated across the board. Implementing SPF, DKIM, and DMARC with diligent monitoring of reports will help you navigate these requirements, maintain a healthy sender reputation, and ensure your emails reach the inbox consistently. This proactive approach is key to avoiding email blocklists and maintaining effective communication with your audience.