How does the absence of DKIM affect email deliverability when SPF is passing and DMARC is aligned?

9 Marketer opinions 3 Expert opinions 4 Technical articles 4 Resources

Summary

The absence of DKIM in an email authentication setup where SPF and DMARC are already aligned presents a nuanced situation. While some experts suggest the immediate impact on deliverability might be minimal in common scenarios, the overwhelming consensus, backed by email marketers and documentation, emphasizes the importance of DKIM for enhanced security and long-term deliverability. DKIM provides message integrity verification, ensuring emails haven't been tampered with, and helps authenticate the sender, which can improve reputation and inbox placement. It's particularly crucial for forwarded messages, as SPF checks may fail in such cases, making DKIM the primary authenticator. Without DKIM, emails may be more susceptible to spam filtering, and the lack of this industry-standard protocol can raise red flags with mailbox providers. Ultimately, implementing DKIM alongside SPF and DMARC is recommended for a robust and resilient email authentication strategy.

Key findings

Enhanced Security: DKIM offers an additional layer of security and message integrity verification beyond SPF and DMARC.
Reputation Impact: The absence of DKIM can negatively impact sender reputation, as it's an expected industry standard.
Forwarding Vulnerability: DKIM becomes critical for forwarded emails, which may not pass SPF checks.
Deliverability Risks: Without DKIM, emails are more vulnerable to being marked as spam and may face deliverability issues.
Comprehensive Authentication: DKIM strengthens the overall email authentication framework when used in conjunction with SPF and DMARC.

Key considerations

DKIM Implementation: Prioritize the implementation of DKIM, even if SPF and DMARC are already in place, to enhance email security and long-term deliverability.
Forwarding Handling: Address forwarding scenarios by ensuring DKIM is properly configured to authenticate messages that may fail SPF checks.
Monitoring Reputation: Monitor sender reputation closely to identify any negative impacts from the absence of DKIM and take corrective action.
Industry Standards Compliance: Adhere to industry best practices by implementing DKIM, as its absence may raise deliverability concerns with mailbox providers.
Regular Auditing: Regularly audit email authentication configurations to ensure DKIM, SPF, and DMARC are properly set up and maintained.

What email marketers say
9Marketer opinions

While SPF and DMARC are essential for email authentication, the absence of DKIM, even when these are aligned, can still negatively impact email deliverability. DKIM provides an additional layer of security and ensures message integrity, which can improve sender reputation and inbox placement. Email providers may view emails without DKIM as less trustworthy, potentially leading to filtering as spam, especially when messages are forwarded and SPF checks fail.

Key opinions

Improved Deliverability: DKIM provides an extra layer of security, bolstering deliverability even when SPF and DMARC are aligned.
Enhanced Authentication: DKIM ensures message integrity and verifies the sender's authenticity, strengthening the overall authentication process.
Reputation Impact: The lack of DKIM may negatively impact sender reputation, as it is an industry standard expected by mailbox providers.
Forwarding Vulnerability: Forwarded emails may not pass SPF checks, making DKIM critical for maintaining deliverability in such cases.
Increased Trustworthiness: Email providers may view emails without DKIM as less trustworthy, potentially leading to increased spam filtering.

Key considerations

Implement DKIM: Even with SPF and DMARC in place, implement DKIM to provide a robust email security framework and improve deliverability.
Monitor Reputation: Monitor sender reputation to ensure that the absence of DKIM is not negatively impacting email deliverability.
Forwarding Scenarios: Consider the impact on forwarded emails, where SPF may fail, and ensure DKIM is properly configured to mitigate deliverability issues.
Industry Standards: Adhere to industry standards by implementing DKIM, as its absence may raise red flags with mailbox providers.
Regular Review: Regularly review and update email authentication settings to adapt to evolving deliverability requirements and best practices.

Marketer view

Email marketer from Email Geeks states that DKIM is important to improve deliverability.

March 2021 - Email Geeks

Marketer view

Email marketer from SocketLabs shares that forwarded messages may not pass SPF. This increases the importance of ensuring DKIM is correctly setup, otherwise the email will fail all email security checks.

December 2023 - SocketLabs

Marketer view

Email marketer from Mailjet shares that even with SPF and DMARC, DKIM provides an additional layer of security and sender authentication, which can improve deliverability. They explain that some ISPs might view emails without DKIM as less trustworthy, potentially affecting inbox placement.

December 2022 - Mailjet

Marketer view

Email marketer from ZeroBounce responds by saying that the lack of DKIM has a slight affect if SPF passes, however, it would always be recommended to have both setup correctly to ensure messages pass all security checks.

June 2023 - ZeroBounce

Marketer view

Email marketer from Sendinblue responds that while SPF and DMARC are important, DKIM provides message integrity verification. If DKIM is missing, it reduces the overall authentication strength, and some email providers might be more likely to filter the message as spam, even with passing SPF/DMARC.

November 2021 - Sendinblue

Marketer view

Email marketer from Reddit says that although SPF and DMARC are important, DKIM is increasingly important. The lack of DKIM when SPF is passing will not hurt as much as if SPF was failing - however it might impact long term deliverability.

February 2022 - Reddit

Marketer view

Email marketer from Email Geeks explains that you can look in the headers for a DKIM signature in Gmail by using "Show Original".

May 2023 - Email Geeks

Marketer view

Email marketer from Postmark shares that without DKIM, the sender's reputation might be negatively impacted even if SPF and DMARC pass. They explain that DKIM is an industry standard and is often expected, so its absence can raise red flags with some mailbox providers.

January 2022 - Postmark

Marketer view

Email marketer from SparkPost explains that while DMARC can function with only SPF, using DKIM in conjunction provides a stronger authentication signal. They share that without DKIM, DMARC compliance might be more fragile, especially with forwarded emails. Having both makes the sender's authentication more robust.

March 2023 - SparkPost

What the experts say
3Expert opinions

While SPF and DMARC provide essential email authentication, expert opinions vary on the necessity of DKIM when these are already in place. Some experts suggest that in common cases, the absence of DKIM may not significantly impact deliverability if SPF is passing and DMARC is aligned. However, they also emphasize that implementing DKIM is still a best practice. It provides an additional layer of authentication, enhances message integrity, and strengthens security, particularly for forwarded messages that may fail SPF checks. DKIM also contributes to a more robust reputation.

Key opinions

Deliverability Impact: The immediate impact on deliverability may be minimal in common cases if SPF is passing and DMARC is aligned, but DKIM absence can create longer term issues.
Enhanced Security: DKIM offers an additional layer of authentication and helps maintain message integrity throughout the delivery chain.
Best Practice: Signing all outbound emails with DKIM is recommended as a best practice, even with existing SPF and DMARC configurations.
Forwarding Considerations: DKIM becomes more crucial for forwarded messages that might not pass SPF checks, ensuring continued authentication.
Robust Reputation: Implementing DKIM alongside SPF and DMARC contributes to a more robust sender reputation.

Key considerations

Implementation: Even with SPF and DMARC functioning, consider implementing DKIM to enhance email security and message integrity.
Forwarding: Prioritize DKIM implementation to handle scenarios where messages are forwarded, and SPF checks may fail.
Risk Assessment: Assess the risks associated with not having DKIM, particularly concerning message integrity and long-term deliverability.
Configuration: Ensure proper configuration of DKIM, SPF, and DMARC to create a comprehensive email authentication strategy.
Monitoring: Monitor email deliverability and sender reputation to determine if DKIM implementation is required for optimal performance.

Expert view

Expert from Spam Resource (summarising M3AAWG documentation) explains that DKIM signing all outbound email is a best practice even with SPF and DMARC as it provides an additional layer of authentication and helps ensure message integrity throughout the delivery chain.

January 2025 - Spam Resource

Expert view

Expert from Email Geeks explains that if SPF is passing and DMARC aligned, lack of DKIM won’t have any effect on deliverability in the common case, however it is worth looking at adding to make reputation and DMARC more robust against forwarding.

September 2022 - Email Geeks

Expert view

Expert from Word to the Wise shares that while SPF and DMARC can improve deliverability, implementing DKIM would improve overall security. This includes forwarded messages which might not pass SPF checks.

August 2024 - Word to the Wise

What the documentation says
4Technical articles

Documentation indicates that while SPF and DMARC are crucial for email authentication, DKIM plays a vital role in verifying the source and integrity of email messages. Even when SPF passes and DMARC is aligned, the absence of DKIM can reduce the overall strength of authentication, making emails more susceptible to tampering and potentially impacting deliverability. It is strongly recommended to implement DKIM to ensure robust authentication and mitigate the risk of certain attacks, as it enhances trust and helps maintain message integrity.

Key findings

Message Integrity: DKIM provides message integrity verification, ensuring that emails have not been altered in transit.
Source Verification: DKIM verifies the source of email messages, confirming they were sent by an authorized domain.
Reduced Authentication: The absence of DKIM, even with SPF passing, reduces the overall strength of email authentication.
Increased Vulnerability: Without DKIM, emails are more vulnerable to tampering and certain types of attacks.
Deliverability Impact: Failure to implement DKIM can impact email deliverability, potentially resulting in messages being flagged as spam.

Key considerations

Implementation: Implement DKIM alongside SPF and DMARC to establish a comprehensive email authentication strategy.
Risk Mitigation: Mitigate the risk of tampering and certain attacks by ensuring that DKIM is properly configured.
Trust Enhancement: Enhance trust by implementing DKIM, which confirms the authenticity and integrity of email messages.
Authentication Strength: Recognize that SPF and DMARC alone may not provide sufficient authentication and that DKIM adds an essential layer.
Deliverability Monitoring: Monitor email deliverability to determine the impact of DKIM implementation on inbox placement and spam filtering.

Technical article

Documentation from Microsoft explains that even if the email passes SPF and DMARC checks it still requires the use of DKIM for better email deliverability. They suggest it can still impact your deliverability if you don't implement DKIM.

July 2023 - Microsoft

Technical article

Documentation from ietf.org explains that DKIM provides a method for verifying the source and integrity of email messages, allowing recipients to confirm that the message was sent by an authorized domain and has not been altered in transit. While not explicitly stating the impact without it when SPF/DMARC are present, it highlights DKIM's core function in authentication.

March 2023 - ietf.org

Technical article

Documentation from AuthSMTP explains that while SPF can authenticate the sending server, DKIM provides message integrity verification. It explains the absence of DKIM, even with SPF passing, makes the email more susceptible to tampering and reduces trust, possibly affecting deliverability.

October 2023 - AuthSMTP

Technical article

Documentation from DMARC.org explains that DMARC relies on SPF and DKIM to authenticate email. While DMARC can function if only one of SPF or DKIM passes, it strongly recommends both for robust authentication. Absence of DKIM (even with SPF passing) reduces the level of authentication, potentially impacting deliverability and increasing vulnerability to certain attacks.

November 2022 - DMARC.org

Causes and Solutions of DMARC Failures - DuoCircle

DMARC failure reports give insights into why emails failed DMARC checks and show where the trouble is to help you fix it. Invalid DMARC records fail to filter

DuoCircle

What is DMARC alignment (strict vs relaxed) - Valimail

DMARC alignment is an important part of the email authentication protocol. Learn how to align your domain.

Valimail -

Spoofed email passed SPF, DKIM, and DMARC - how to prevent ...

Hi all, I’m in the process of trying to figure out how a spoofed email passed DMARC. We’re a small company and set up SPF, DKIM, and DMARC for the first time about six months ago. Our SPF record is pretty basic (we include a third-party billing service and _spf.google.com ~all) and our DMARC policy is relaxed and set to quarantine. We use Google Workspace to send emails. In the spoofed email, it looks like they passed DKIM with a different domain, and SPF passed as well (from my understanding,...

Spiceworks Community