If DMARC passes but SPF fails, what are the concerns and impacts on email deliverability?
Summary
What email marketers say11Marketer opinions
Email marketer from EasyDMARC Knowledge Base responds that although DMARC might pass via DKIM, SPF failures can still indicate underlying issues like unauthorized sending sources. They advise investigating and correcting SPF records to prevent potential spoofing.
Email marketer from DNS Records explains that if DMARC passes via DKIM, the SPF failure is less critical for immediate deliverability. However, addressing SPF failures enhances overall email security and prevents potential exploitation of your domain.
Email marketer from Email Geeks responds it should not affect your deliverability and that everything is ok with that set up.
Email marketer from SparkPost Blog responds that a passing DMARC with a failing SPF means the message is still authenticated, but it's crucial to monitor and address the SPF failure to prevent future deliverability problems and potential spoofing attempts.
Email marketer from Email Deliverability Blog responds that although DMARC passing with DKIM mitigates immediate deliverability issues from SPF failures, it's best practice to rectify SPF configurations. It helps ensure broader email security and reduces vulnerabilities.
Email marketer from EmailGeeks Forum shares that even with DMARC passing due to DKIM, ongoing SPF failures can indicate that unauthorized sources are attempting to send emails using your domain. This could lead to future reputation damage.
Email marketer from Email Marketing Forum shares that SPF failures, despite DMARC passing via DKIM, can stem from various issues such as email forwarding or incorrect SPF records. Investigating these causes is crucial for maintaining sender reputation.
Email marketer from StackOverflow answers that although DMARC prioritizes DKIM, its still important to check why the SPF fails. If its because a third party provider is sending the emails, ensure they have DKIM setup and configured to pass DMARC. You can configure DMARC to reject unauthorized emails.
Email marketer from Postmark Blog shares that while a passing DMARC can provide a degree of protection, relying solely on it without fixing SPF issues is not ideal. They recommend ensuring both SPF and DKIM are correctly configured for optimal deliverability and security.
Email marketer from Mailhardener Blog explains that if DMARC passes with DKIM alignment, a failing SPF is not necessarily an immediate concern. They emphasize the importance of DKIM alignment in such scenarios for maintaining deliverability.
Email marketer from Reddit explains that if DMARC passes due to DKIM, the immediate impact on deliverability might be minimal. However, SPF failures should still be investigated as they could indicate unauthorized use of your domain.
What the experts say5Expert opinions
Expert from Email Geeks explains that DMARC looks at either SPF or DKIM passing, with both being preferable, but one is enough. They share that many ESPs control the SPF domain but allow for custom DKIM keys, while others allow full alignment of both. They also note that if you see things from IPs that are not yours it could be mail forwarding - SPF will fail, but DKIM should survive and continue to be validated.
Expert from Email Geeks explains the importance of understanding *why* SPF is failing: if it's failing in a DMARC context due to lack of alignment with the 5322.from address, or if it's a hard fail because the IP is not authorized. She states that mail failing SPF needs to be fixed by publishing the DNS record.
Expert from Spam Resource explains that even if DMARC passes due to DKIM alignment, SPF failures should not be ignored. Linford shares that SPF failures could be a sign of unauthorized email activity and recommends regular monitoring of SPF failure reports to identify and prevent potential email spoofing.
Expert from Email Geeks suggests if DMARC is failing because the SPF doesn’t align with the 5322.from, it should be fixed for tidiness rather than delivery impact.
Expert from Word to the Wise answers that While DMARC can pass through DKIM even when SPF fails, it's important to align both SPF and DKIM for optimal deliverability. Betterly emphasizes that a correctly configured SPF record can provide an additional layer of security and help reduce the risk of email spoofing.
What the documentation says4Technical articles
Documentation from Microsoft explains that messages that fail SPF checks but pass DMARC due to DKIM are still subject to DMARC policies. It is recommended to monitor SPF failures as they may indicate potential security issues or misconfigurations.
Documentation from DMARC.org explains that DMARC uses the results of SPF and DKIM to determine if a message is authorized to use a domain. If DMARC passes due to DKIM, the SPF result is less critical, but resolving SPF failures is still recommended for comprehensive security.
Documentation from Google Workspace Admin Help explains that while DMARC can pass with a DKIM alignment even when SPF fails, Google still recommends configuring both SPF and DKIM correctly. SPF helps in scenarios where DKIM might not be applicable.
Documentation from RFC explains the Sender Policy Framework. The RFC defines SPF's mechanisms for verifying sender identity. It also describes that if a system fails SPF, while DMARC passes because of DKIM, messages will still pass DMARC. However it will not be an optimal configuration.