How DMARC relates to SPF and DKIM
Domain-based Message Authentication, Reporting & Conformance (DMARC
Domain-based Message Authentication, Reporting & Conformance) verification requires that either Sender Policy Framework (SPF Sender Policy Framework) or DomainKeys Identified Mail (DKIM DomainKeys Identified Mail) validation checks pass. This means that if domain owners publish a DMARC DNS record, they must also publish a valid SPF or DKIM DNS record.
When you enable DMARC verification and Secure Email Gateway detects a DMARC DNS record for the sender’s domain, the
|
Clearswift recommends that you leave SPF and DKIM enabled in Secure Email Gateway when DMARC is enabled. Although having SPF and DKIM disabled does not affect DMARC verification, having them enabled results in more reliable spoof detection for domains that publish SPF or DKIM records but not DMARC records. |
When more than one Secure Email Gateway validation check triggers (for example, both DMARC and SPF trigger), the action taken by the
- Reject Message
- Add Info & Deliver: Adds the X-msw-integration header to messages and delivers messages.
- Hold, Add Info & Deliver: Holds messages in the area that you specify in the Hold Junk Email in Message Area section (see Spam Policy for more information on specifying message area), adds the X-msw-integration header to messages, and delivers messages.
- Hold in area: Holds messages in the area that you specify in the Hold Junk Email in Message Area section. (see Spam Policy for more information on specifying message area)
|
If you add a host for SPF or DKIM to an allow list, it applies to the SPF or DKIM validation check only. Adding a host for SPF or DKIM to an allow list does not count as an SPF or DKIM pass, for DMARC purposes. If you allow a host for DMARC, then Secure Email Gateway ignores (assumes they pass) SPF and DKIM results for DMARC purposes only. |