Why does DMARC still pass if DKIM fails but SPF passes?

DMARC is designed to pass if either SPF or DKIM (with proper alignment) passes. If SPF passes and aligns, DMARC will pass, regardless of whether DKIM fails. This provides redundancy and helps ensure deliverability in cases like email forwarding.

Can I configure my DMARC record to reject only on DKIM failure if SPF is passing?

No, standard DMARC configuration does not allow for a policy to specifically reject emails only when DKIM fails but SPF passes. DMARC's logic is inherently an "OR" condition between SPF and DKIM authentication. Any specific rejection rule would need to be implemented on the receiving mail server's side, outside of the DMARC record itself.

When does a DMARC p=reject policy take effect?

DMARC policy enforcement (like p=reject ) is applied when both SPF and DKIM fail their respective authentication and alignment checks. It's a comprehensive failure of DMARC, not a partial one based on a single mechanism.

Is a DKIM failure, even with a passing SPF, a cause for concern?

While DKIM failure when SPF passes might not trigger a DMARC reject, it could indicate potential issues with message integrity (e.g., tampering in transit) or a misconfiguration of your DKIM record. It's still a good practice to investigate and resolve DKIM failures to maintain strong email authentication overall.

What is the recommended approach for DMARC authentication?

For optimal email deliverability and security, it is best to configure both SPF and DKIM correctly for all your legitimate sending sources. This ensures redundancy and resilience, especially as email providers increasingly emphasize robust authentication from all senders.

How to configure DMARC to reject emails when DKIM fails but SPF passes? - Technical - Email deliverability - Knowledge base

When configuring email authentication protocols, a common question arises: "How can I set up DMARC to reject emails specifically when DKIM fails, but SPF passes and aligns?" This scenario often stems from a desire for stricter control over email authenticity, particularly concerning message integrity that DKIM helps ensure.

However, the fundamental design of DMARC, or Domain-based Message Authentication, Reporting and Conformance, means that this precise configuration isn't directly achievable. DMARC's primary purpose is to tell receiving mail servers what to do with messages that fail either SPF or DKIM authentication and alignment. It operates on an "OR" logic, meaning if one passes, DMARC generally considers the email legitimate from an authentication standpoint.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding DMARC's authentication logic

DMARC builds upon two foundational email authentication standards: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). For an email to pass DMARC, it must satisfy two conditions: pass either SPF authentication with identifier alignment, or DKIM authentication with identifier alignment. The "OR" relationship between SPF and DKIM means that if one of these mechanisms validates successfully and aligns with the "From" domain, the email passes DMARC.

This design ensures resilience in various email sending scenarios, such as when emails are forwarded. When an email is forwarded, the original SPF authentication can often break because the new forwarding server's IP address might not be authorized by the original domain's SPF record. In such cases, DKIM is crucial because the DKIM signature remains intact even after forwarding, allowing the email to still pass DMARC if DKIM passes and aligns. You can learn more about how to handle DMARC failures when email is forwarded by recipients.

Therefore, if an email successfully passes SPF authentication and SPF alignment, DMARC will generally consider the message authenticated, regardless of the DKIM authentication result. The goal of DMARC is to prevent email spoofing, and if either SPF or DKIM can verify the sender's identity, it fulfills this purpose. You can learn more about how these protocols work together in our simple guide to DMARC, SPF, and DKIM.

The role of DMARC policies and alignment tags

A DMARC policy (p=) tells receiving mail servers how to handle emails that fail DMARC authentication. The common policies are p=none (monitor), p=quarantine (deliver to spam/junk), and p=reject (block delivery). When you set a DMARC record to p=reject, you are instructing recipients to discard emails that fail DMARC checks entirely, which includes failures of both SPF and DKIM or alignment issues for both. For a deeper understanding of these policies and their implications, explore what DMARC settings should I use.

DMARC also includes alignment tags, aspf for SPF alignment and adkim for DKIM alignment. These tags specify whether SPF and DKIM alignment should be "relaxed" (r) or "strict" (s). By default, both are set to relaxed, meaning the organizational domain in the SPF or DKIM authentication result must match the organizational domain of the "From" header. If set to strict, the exact domains must match. Even with strict alignment, the "OR" logic still applies; if SPF passes and aligns, DMARC will pass, irrespective of DKIM's status. The adkim tag primarily dictates how DKIM alignment is evaluated, as discussed on MxToolbox's explanation of the adkim tag, but it does not mandate DKIM success if SPF already provides a passing authentication.

Example DMARC TXT record

v=DMARC1; p=reject; rua=mailto:reports@yourdomain.com; ruf=mailto:forensics@yourdomain.com; fo=1; adkim=s; aspf=s

Despite the adkim=s tag, if aspf=s is also present and SPF passes and aligns, the DMARC check will pass overall.

Addressing the challenge of DKIM failure with SPF pass

The underlying question, "How to configure DMARC to reject emails when DKIM fails but SPF passes?", suggests a desire for finer-grained control over email authentication outcomes. This scenario typically arises when there's concern about email content being tampered with after initial SPF authentication, as DKIM is designed to protect the integrity of the message body and headers. However, because DMARC passes if either SPF or DKIM (and their respective alignments) succeed, a passing SPF will always result in a DMARC pass, even if DKIM fails.

One reason for DMARC's design is the reality of email forwarding. As mentioned, SPF is prone to breaking during forwarding, which is why DKIM acts as a critical fallback. If an email is forwarded and SPF fails, a valid DKIM signature can still ensure the email passes DMARC. Without this flexibility, many legitimate emails would be blocked. This is also why we have the Authenticated Received Chain (ARC) protocol, which provides a chain of custody for emails, allowing intermediate mail servers to attest to the original authentication results before forwarding.

DMARC authentication outcomes

SPF Authentication	DKIM Authentication	DMARC Outcome
Pass and Aligned	Pass and Aligned	Pass
Pass and Aligned	Fail	Pass (due to SPF)
Fail	Pass and Aligned	Pass (due to DKIM)
Fail	Fail	Fail

If your primary concern is the integrity of the email body, which is DKIM's strength, relying solely on DMARC's standard behavior may not satisfy your specific requirement if SPF passes. While you cannot tell DMARC to reject only on DKIM failure when SPF passes, you might consider alternative internal email security measures or additional rules on your mail server to flag or quarantine emails that pass SPF but fail DKIM for further inspection, though this falls outside standard DMARC policy enforcement. You can troubleshoot DMARC failures and their impact on email deliverability to understand potential consequences.

Advanced considerations and practical implications

While DMARC provides a robust framework for email authentication, it is designed for broad applicability across the internet's email ecosystem. Its "OR" logic (SPF OR DKIM) is a feature, not a limitation, intended to maximize legitimate email delivery while minimizing spoofing. Forcing a rejection solely on DKIM failure when SPF passes would effectively negate SPF's role in the DMARC evaluation, which is not how the protocol is built. The design aims for resilience.

Standard DMARC behavior

Pass logic: An email passes DMARC if either SPF or DKIM authenticates and aligns with the "From" domain. This provides redundancy.
Resilience: Handles scenarios like email forwarding where SPF can break, relying on DKIM for validation.
Policy enforcement: Applies a policy (none, quarantine, reject) only if both SPF and DKIM fail authentication or alignment.

Desired (non-standard) behavior

Proposed logic: Reject emails if DKIM fails, even if SPF passes and aligns. This prioritizes DKIM for content integrity.
Impact on deliverability: Not directly supported by DMARC. Implementing this could lead to rejecting legitimate mail if SPF is the only passing authentication.
Custom solutions: Would require mail server-side rules or specialized security gateways to enforce this specific logic after the DMARC check.

If your specific use case requires ensuring DKIM integrity above all else, even when SPF passes, you might need to implement internal mail flow rules or specialized email security gateways that can enforce this specific logic. These solutions would operate after the initial DMARC check by the recipient server, offering granular control based on individual authentication results. However, this is a complex approach that may not be feasible for all organizations.

The current trend among major mailbox providers, like those of

Google and

Yahoo, is to encourage, and in some cases, demand, full alignment for both SPF and DKIM. This means that while DMARC currently allows an "OR" condition for passing, future requirements might lean towards both authentications being robustly configured. This future-proofing perspective suggests focusing on strengthening both SPF and DKIM for all your sending sources rather than trying to engineer specific failure conditions.

Important warning: unintended consequences

Intentionally breaking SPF alignment to force a DKIM-only pass might lead to significant email deliverability issues. Major email providers rely heavily on a combination of SPF, DKIM, and DMARC for filtering. Deliberately misaligning SPF, even if DKIM is strong, could increase your spam rate and risk your emails being blocklisted (or blacklisted) if SPF is then seen as failing. This is a crucial point, especially as major providers move towards stricter alignment requirements.

Implementing p=reject safely requires careful monitoring and analysis of DMARC reports. Before moving to p=reject, it's essential to understand all your legitimate sending sources and ensure they are correctly authenticating with both SPF and DKIM and achieving DMARC alignment. Otherwise, you risk blocking your own legitimate emails. This process involves a phased approach, typically starting with p=none for monitoring, then moving to p=quarantine, and finally p=reject once confidence in authentication is high. Our guide on how to implement DMARC p=reject policy safely provides further detail.

Views from the trenches

Best practices

Always aim for both SPF and DKIM to pass and align, as this provides the strongest authentication.

Use DMARC's default "OR" logic for SPF and DKIM authentication to ensure maximum deliverability.

Gradually implement DMARC policies, starting with "p=none" to monitor reports before moving to "p=quarantine" and then "p=reject".

Monitor DMARC reports diligently to identify any legitimate sending sources that might be failing authentication.

Common pitfalls

Attempting to force DMARC to reject based on DKIM failure alone when SPF passes is not a standard configuration and can lead to issues.

Intentionally misconfiguring SPF or DKIM to achieve a specific failure condition can negatively impact your sender reputation and deliverability.

Moving directly to a "p=reject" policy without thorough monitoring can block legitimate emails from reaching inboxes.

Ignoring DMARC aggregate and forensic reports, which provide crucial insights into authentication failures and spoofing attempts.

Expert tips

Consider internal mail flow rules or specialized security gateways if you require highly granular control over email authentication outcomes beyond standard DMARC policies.

Regularly review your SPF and DKIM records to ensure they are up-to-date and include all legitimate sending sources.

Educate your team on DMARC, SPF, and DKIM to maintain consistent email authentication practices.

Keep an eye on updates from major mailbox providers regarding their authentication requirements, as these can evolve over time.

Expert view

Expert from Email Geeks says DMARC will always pass if SPF is aligned and authenticated, as it's designed with an 'OR' logic for authentication.

2024-05-10 - Email Geeks

Marketer view

Marketer from Email Geeks says if you don't want SPF to be used for DMARC pass, your only option would be to deliberately unalign the SPF string.

2024-05-10 - Email Geeks

Summary of DMARC configuration

Configuring DMARC to reject emails when DKIM fails but SPF passes is not directly possible due to DMARC's fundamental "OR" logic, which allows a DMARC pass if either SPF or DKIM aligns successfully. This design choice enhances email deliverability by providing authentication redundancy, particularly important in scenarios like email forwarding where SPF can break. Instead of trying to force a specific failure scenario, focus on robustly implementing both SPF and DKIM for all your sending domains and ensuring proper identifier alignment. Regularly monitoring your DMARC reports is crucial for identifying any legitimate mail flows that might be failing authentication and taking corrective action before enforcing a p=reject policy. This comprehensive approach will provide the strongest defense against email spoofing and phishing while maintaining excellent email deliverability.