For an email to pass the DMARC (Domain-based Message Authentication Reporting and Conformance), it needs to either pass and align SPF (Sender Policy Framework) or pass and align DKIM (DomainKeys Identified Mail).
Thus, many senders assume that it is perfectly acceptable to focus on passing and aligning either SPF or DKIM, rather than passing and aligning for both.
In fact, there are some instances where senders might not be able to fully implement one of these protocols, such as:
As we stated above, authentication and alignment of just one protocol—SPF or DKIM—is sufficient for emails to pass DMARC, and none of the scenarios above will necessarily stop a sender from implementing a DMARC “reject” policy. So, why do we recommend that you endeavour to have both SPF and DKIM passing and aligning?
Why senders should go beyond the bare minimum
In addition to contributing to the wider picture of what “good” email looks like (mailbox providers rely on senders to clean up our authentication processes), SPF and DKIM, when both are passing and aligning, back each other up.
Both protocols come with their own pitfalls and nuances that can affect their implementation and ongoing maintenance, including transient errors that can occur when packets of data are lost and transmissions fail randomly for a variety of reasons.
Senders who run into such intermittent problems with one authentication protocol and cannot fix that problem immediately could find a large proportion of their legitimate emails blocked due to DMARC failures. In addition, mailbox providers seem to favor senders who are passing and aligning with both SPF and DKIM, as our example from the field below shows.
An example from the field
One of Return Path’s clients implemented a DMARC “reject” policy across all their main sending domains, which sent a high volume of emails.
For eight domains, they sent a total of 33.2 million messages over a period of seven days.
Out of those emails, nearly six million had some sort of authentication failure (~18 percent). These failures, we discovered, were caused by DKIM authentication issues.
However, because this client was passing and aligning with SPF, the messages continued to pass DMARC at an acceptable level—they only had 1,800 DMARC failures (0.005%) and of these, only 264 (0.0008%) were blocked by the ISP.
If there had been more SPF failures, more emails would have failed DMARC, with no DKIM to provide back-up.
After we diagnosed and troubleshoot the underlying DKIM issues, and the sender’s emails were protected by both SPF and DKIM again, and we saw a drastic dip in authentication failures. When we looked at the same domains over a seven day period after the intervention, we saw:
As you can see, following our best practice of having both SPF and DKIM configured to pass and align will provide your outbound emails with the greatest level of protection. Authentication using both protocols is the most resilient approach and will have a positive effect on your deliverability.