Using DMARC and SPF Without DKIM

Using DMARC to validate your SPF record makes perfect sense even if you have no plan of implementing DKIM. There you have it!

Although implementing DKIM is highly recommended you can absolutely use DMARC for the sole purpose of validating your SPF record. As a one time event. Or on an ongoing basis. The scenario described in this post will give you a better understanding of the value of DMARC and SPF without DKIM.

DMARC Processing

As explained in a previous post your DMARC record instructs the receiver how to process your email in case of DKIM and/or SPF failure. The DMARC policy offers three settings: “none”, “quarantine” and “reject”. Using the setting “none” makes sure that email delivery is unaffected no matter how screwed your SPF and DKIM configuration is.

So, with no change in mail delivery, what are the gains?

DMARC Reporting

The super cool feature of DMARC is that it allows you to specify a mail address that will receive daily aggregated reports from all recipients that are DMARC compliant. This means every mail system using DMARC will send you a daily mail informing you of any SPF failures on email sent using your mail domain.

Consider the following scenario:

SPF DMARC scenario office 365 management

Assuming the receiving mail servers are DMARC compliant, within 24 hours of configuring your DMARC record they will start sending DMARC aggregate reports to the mail address specified in the DMARC record.

Understanding DMARC Aggregate Reports

In the above example no SPF issues will be seen related to the mails coming from your own mail server as the IP is listed correctly in your SPF record. However, reviewing the DMARC reports carefully you will find that Marketing forgot to notify you about the 3rd party service provider they hired to send out emails using your mail domain. These newsletters are currently getting a higher spam probability score due to the failing SPF check and are less likely to reach the intended recipients. Also, you find that someone are sending spoofed emails from IP address, an IP address completely unknown to you.

Two important actions are born from your study of the aggregate DMARC reports you’re now receiving:

  • You decide to update your SPF record with the 3rd party service provider (or you instruct them to send from an email address not belonging to your main mail domain)
  • You start monitoring the extent of the spoofing attack coming from IP address and if it continues on a large scale you inform your customers about the issue and take legal action towards the foul player

Bonus Info: How To Process DMARC Reports

To review the XML based DMARC reports in an easy way, have them processed by a DMARC service provider. There are a few providers out there but I would like to highlight the Armenian company EasyDMARC. They offer a great platform at reasonable pricing. If you set up an account with them you can have your DMARC reports sent directly to them for automatic processing. If you already have DMARC reports delivered to your own mailbox you can use EasyDMARC’s platform to process them. It goes like this:

Copy all the emails with your DMARC reports from your mail client to a folder (copy/paste or drag and drop).

Fire off the following PowerShell script to extract the attachments into a separate folder:

$MsgPath = "C:\Mails\"
$SavePath = "C:\Mails\Attachments\"
$Outlook = new-object -COMObject outlook.application
$Msgs = Get-ChildItem $MsgPath -filter *.msg
ForEach ($Msg in $Msgs)
  If ($Msg.Exists -eq $true) {
    Write-Host "Opening message:" $Msg
    $Omsg = $outlook.CreateItemFromTemplate($MsgPath + $Msg)
    $Omsg.Attachments | ForEach {
      $_.SaveAsFile((Join-Path $SavePath $_.FileName))

Navigate to the XML Analyzer and drop your attachments (*.zip and *.gz files – not the *.msg files) in the web application:

EasyDMARC XML file processing

Once file uploading completes you will receive a summarized overview of the DMARC reports:

If you scroll down a bit you will be able to identify the main attraction – SPF failures. Review the stats and examine if you forgot to include an outbound mail server or if someone are spoofing your domain:

EasyDMARC SPF failure list

In the above report there are 4 recipients that are reporting 0% SPF compliance and this requires further investigation.

Wrap Up

Hopefully this makes it clear how you can use DMARC to support your existing SPF implementation even if setting up DKIM is still pending.