Hi, On Wed 20/May/2020 07:31:35 +0200 Roshan Hiripitiyage via dmarc-discuss wrote: > Can we enable DMARC just by enabling only SPF?, without DKIM? If it's possible > what are the issues we will come across without DKIM?
While it is possible, SPF only won't cover forwarding. Mail that you send to u...@example.com which is (silently) redirected to u...@example.net will fail SPF verification in the majority of cases. Where it succeeds, that's because the forwarder changed the MAIL FROM (a.k.a. Return-Path:). That way, SPF can pass but DMARC alignment does not. For that reason, if you implement DMARC with SPF only, you should keep p=none, or/and pct=0, in order for your mail to be delivered correctly. p=none is the suggested starting value anyway, so that you can estimate how you're doing based on aggregate reports. On the other hand, implementing DMARC also implies to send in turn aggregate reports yourself. If you cannot verify DKIM signatures, you can set DKIMAuthResultType to "none" to indicate that no message authentication was performed, or omit the <dkim> element altogether. That way, you let your correspondents know that you're not verifying their DKIM signatures. Anyway, be very cautious about rejecting or quarantining incoming mail based on SPF only. Whitelist extensively. If you don't mind my asking, what is the difficulty in enabling DKIM? Best Ale -- _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
