Why do I need to set DKIM when my DMARC can pass basis the SPF alone?

The Pain

This is one of the most asked questions that we come across from our customers. From the effort per-se it makes sense, reason being that SPF needs to be set in the company’s DNS server whereas DKIM has to be set in the sender’s mail server. Now some might ask ‘What is the challenge in setting up the DKIM in the mail server, the challenge arrives as majority of organisations use 3rd party mass mailers and CRM/HR service providers like mail chimp, Sendgrid, Zoho, Greyt Hr and many more to manage their customer reachout. And getting them to update the DKIM record requires an additional effort as most of the times these vendors are either unresponsive or lack expertise and that is the sole reason why the mail admins normally avoid the path of reaching out to the 3rd party mailers for setting up the DKIM and rather go-ahead with DMARC enforcement just by setting up the SPF records.

The Trouble

This approach however didn’t go well with one of our Banking customer, whose one of the mailing domains was in enforcement mode with just the SPF alignment. The mails admin tried setting up the DKIM as well however due to lack of response from the vendor they went ahead with just the SPF record. Everything was going fine for them till one day someone decided to remove the SPF record for that mailing domain (reason for which is still under investigation), and just like that around 20k mails got affected and were rejected by the recipient mail server in a single day. This was proactively identified and reported by ProDMARC and things are back to normal and now they are back again chasing the vendor for setting up the DKIM record as well but with more determination and rigour.

The Outcome

Achieving complete security is difficult, it not only depends upon your determination to fulfil it but also of others including your customers, partners, vendors and most importantly employees. DMARC works on 2 pillars SPF and DKIM and even though enforcement can be achieved by implementing either one of those however there is always a possibility that unforeseeable issues might arise which may lead to all your genuine emails getting blocked. Hence it is always advised to have a backup plan in place by implementing both SPF and DKIM before moving on the DMARC enforcement.


SPF and DKIM address two different, but vital, aspects of email security. In a nutshell, SPF allows email senders to define which IP addresses are allowed to send mail for a particular domain. DKIM on the other hand, provides an encryption key and digital signature that verifies that an email message was not forged or altered.

DKIM helps improve email deliverability and when combined with SPF, and Domain-based Message Authentication, Reporting, and Conformance (DMARC) it can play a critical role in preventing email spoofing.  Having both protocols in place is always a safer option to ensure smoother deliverability and an additional layer of email security.

Click here to check if your SPF, DKIM & DMARC Records are aligned properly or if you haven’t started your DMARC journey yet, reach out to us to know more about ProDMARC.