Can You Use DMARC Without DKIM? Understanding the Relationship

You have set up SPF for your domain and you are about to publish a DMARC record. But DKIM looks complicated and you are wondering: do I actually need it? Can DMARC work with just SPF?

The short answer is yes, technically. DMARC requires at least one of SPF or DKIM to pass and align. But relying on SPF alone is fragile, and in many common scenarios your emails will fail DMARC without DKIM in place. This guide explains why.

How DMARC Uses SPF and DKIM

DMARC does not perform authentication on its own. It relies on two underlying protocols — SPF and DKIM — and adds an alignment check on top of them. For a full breakdown of how these protocols compare, see SPF vs DKIM vs DMARC. For a message to pass DMARC, it needs at least one of the following:

• SPF passes AND the SPF domain aligns with the "From" domain
• DKIM passes AND the DKIM signing domain aligns with the "From" domain

Only one of these needs to succeed. If SPF passes and aligns, DMARC passes — even if DKIM is not configured at all. If DKIM passes and aligns, DMARC passes — even if SPF fails.

This is by design. The "or" logic gives your emails two chances to authenticate. But there is a critical difference between SPF and DKIM that makes relying on just one of them risky.

Why SPF Alone Is Fragile

SPF validates the sending server's IP address against a list of authorized IPs published in your domain's DNS. It works well when you control exactly which servers send your email and the message travels directly from sender to recipient.

The problem is that email does not always travel directly. SPF breaks in several common scenarios.

Email Forwarding

When a recipient forwards your email to another address — using automatic forwarding rules, mailing lists, or simply forwarding from one mailbox to another — the forwarding server re-sends the message from its own IP address. That IP is not in your SPF record, so SPF fails.

This is not an edge case. Email forwarding is extremely common. People forward work emails to personal accounts, universities forward alumni email, and mailing lists redistribute messages to subscribers. If your only DMARC authentication path is SPF, all of these forwarded messages will fail DMARC.

Mailing Lists

When you send an email to a mailing list, the list server redistributes your message to all subscribers. The list server's IP address replaces the original sending IP in the envelope. SPF fails because the list server is not in your SPF record.

Some mailing list software rewrites the "From" address to avoid this problem, but many do not. Without DKIM, your messages to mailing lists are likely to fail DMARC.

Third-Party Sending Services

When you use a third-party service like Mailchimp, SendGrid, or HubSpot, SPF alignment depends on the envelope sender (Return-Path) domain matching your "From" domain. Some services set the Return-Path to their own domain by default, which means SPF might pass but will not align with your domain.

You can usually configure a custom Return-Path, but it requires additional DNS setup and is easy to overlook. DKIM signing, on the other hand, is straightforward to configure with most services and naturally aligns with your "From" domain.

Why DKIM Survives Forwarding

DKIM works differently from SPF. Instead of checking the sending server's IP address, DKIM attaches a cryptographic signature to the email's headers and body. The signature is linked to your domain through a public key published in your DNS.

When an email is forwarded, the signature travels with the message. As long as the forwarding server does not modify the signed headers or body, the DKIM signature remains valid. The receiving server can verify the signature against your public key regardless of which server delivered the message.

This is the fundamental advantage of DKIM. It authenticates the message itself, not the server that sent it. Forwarding, relaying, and redistribution do not break DKIM the way they break SPF.

Scenarios Where DMARC Without DKIM Works

There are situations where SPF alone is sufficient for DMARC:

Direct delivery with no forwarding. If you send emails that are delivered directly to the final recipient with no forwarding, mailing lists, or intermediary servers, SPF alignment will work reliably.

Simple single-server setups. If all your email comes from one server that you control, and your SPF record lists that server, and you do not expect recipients to forward your messages, DMARC with just SPF can technically work. This sometimes applies to self-hosted email environments with direct delivery paths.

Temporary during initial setup. If you are rolling out email authentication in phases and SPF is done but DKIM is still in progress, running DMARC with SPF-only is better than having no DMARC at all. Just understand the limitations and prioritize getting DKIM configured.

Scenarios Where It Breaks Down

Recipients forward your emails. Anyone who forwards your message to another mailbox will trigger an SPF failure. Without DKIM to fall back on, DMARC fails and your message may be quarantined or rejected.

Mailing lists redistribute your messages. List servers re-send from their own infrastructure, breaking SPF. DKIM is the only authentication that survives this.

You move to DMARC enforcement. At p=none, DMARC failures do not affect delivery. But when you move to p=quarantine or p=reject, every SPF failure without a DKIM fallback means a legitimate email that does not reach the recipient.

You use multiple sending services. The more services that send on your behalf, the more complex your SPF record becomes and the more likely alignment issues arise. DKIM provides a cleaner, more reliable authentication path for third-party senders.

Why You Should Set Up DKIM

If you are currently running DMARC without DKIM, here is the practical case for adding it as soon as possible.

Redundancy. With both SPF and DKIM, your emails have two independent paths to pass DMARC. If one breaks due to forwarding, a DNS change, or a misconfiguration, the other keeps your messages authenticated.

Forwarding resilience. DKIM is the only standard authentication mechanism that reliably survives email forwarding. If any of your recipients forward messages, DKIM is essential. Our DKIM vs DMARC comparison explains exactly how these two protocols complement each other.

Enforcement readiness. Moving to p=quarantine or p=reject without DKIM means you are one forwarded email away from a delivery failure. DKIM gives you the confidence to enforce your DMARC policy without worrying about false positives.

Third-party sender compatibility. Most major email services (Mailchimp, SendGrid, HubSpot, Google Workspace, Microsoft 365) make it easy to configure DKIM signing. In many cases it is just adding a couple of CNAME or TXT records to your DNS.

How to Set Up DKIM

Setting up DKIM is more approachable than it looks. The process varies by email provider, but the general steps are the same:

1. Generate a DKIM key pair at dkimcreator.com. This gives you a public key (which goes in your DNS) and a private key (which your email server uses to sign messages).

2. Publish the public key as a TXT record in your DNS. The record goes at selector._domainkey.yourdomain.com, where "selector" is a name you choose (like google, mailchimp, or default).

3. Configure your email service to sign outgoing messages with the private key. Most hosted services handle this automatically once you add the DNS record.

4. Verify the setup by sending a test email and checking the headers for a DKIM-Signature header with a pass result.

For hosted services like Google Workspace or Microsoft 365, the provider gives you specific CNAME or TXT records to add. You do not need to manage private keys yourself — the service handles signing on your behalf.

The Bottom Line

DMARC can technically function without DKIM, but it should not. SPF alone leaves your authentication vulnerable to forwarding failures, mailing list redistribution, and third-party sender misalignment. DKIM closes these gaps by authenticating the message itself rather than the sending server.

If you have SPF and DMARC in place but not DKIM, your next step is clear: generate your DKIM keys at dkimcreator.com and add them to your DNS. The setup takes minutes and dramatically improves the reliability of your email authentication.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.