How DMARC relates to SPF and DKIM

Domain-based Message Authentication, Reporting & Conformance (DMARCClosed Domain-based Message Authentication, Reporting & Conformance) verification requires that either Sender Policy Framework (SPFClosed Sender Policy Framework) or DomainKeys Identified Mail (DKIMClosed DomainKeys Identified Mail) validation checks pass. This means that if domain owners publish a DMARC DNS record, they must also publish a valid SPF or DKIM DNS record.

When you enable DMARC verification and Secure Email Gateway detects a DMARC DNS record for the sender’s domain, the Gateway automatically carries out SPF and DKIM checks, even if you have these checks disabled in the Gateway. If either an SPF or DKIM check passes (and the DMARC domain alignment checks pass), then DMARC verification passes.

 

It is recommended that you leave SPF and DKIM enabled in Secure Email Gateway when DMARC is enabled. Although having SPF and DKIM disabled does not affect DMARC verification, having them enabled results in more reliable spoof detection for domains that publish SPF or DKIM records but not DMARC records.

When more than one Secure Email Gateway validation check triggers (for example, both DMARC and SPF trigger), the action taken by the Gateway is the highest priority action assigned to the triggering validation checks. The priority order of actions is as follows (highest priority first):

 

If you add a host for SPF or DKIM to an allow list, it applies to the SPF or DKIM validation check only. Adding a host for SPF or DKIM to an allow list does not count as an SPF or DKIM pass, for DMARC purposes.

If you allow a host for DMARC, then Secure Email Gateway ignores (assumes they pass) SPF and DKIM results for DMARC purposes only.

See also...