Yes, you can set up DMARC without DKIM and even if you only have DMARC and SPF setup. In cases where the DKIM check fails, DMARC authentication is dependent on the SPF check and SPF identifier alignment, which works but is not that optimal.

DMARC Setup

The DMARC authentication result depends on the SPF authentication result and DKIM authentication result. An email passes DMARC authentication if any of the following is true:

• Email passes the SPF authentication and has SPF identifier alignment;
• Email passes the DKIM authentication and has DKIM identifier alignment.

To put it into a simple equation:

DMARC authentication pass = SPF authentication pass OR DKIM authentication pass

DMARC setup without DKIM

If DKIM is not implemented with DMARC, then results will be dependent on SPF.

DMARC authentication pass = SPF authentication pass as well as SPF identifier alignment

In other words, SPF result output will determine the result of the DMARC policy.

What happens if SPF authentication fails?

SPF alone can authenticate legitimate emails but what if SPF authentication fails?

For direct email flow, any legitimate email coming from the authorized outgoing server is authenticated by the SPF. However, if an email is forwarded such as in the email list scenario, SPF authentication can fail since the intermediate server’s IP address is not in the SPF IP list.

When this happens and if DKIM is not set up, the legitimate email fails the DMARC authentication since it fails both the SPF and DKIM authentication, in this case, it is a false negative. Then a complete DMARC implementation is the best option.

As discussed above, having DKIM set up in your DMARC, increases the possibility of legitimate emails passing the DMARC authentication. Since most email services allow you to set up SPF as well as DKIM, you should definitely set up DKIM along with SPF.

Does DMARC require DKIM?

No. DKIM is not required by DMARC. However, setting up DKIM minimizes false negatives in DMARC authentication.