How DMARC relates to SPF and DKIM

Domain-based Message Authentication, Reporting & Conformance (DMARCClosedDomain-based Message Authentication, Reporting & Conformance) verification requires that either Sender Policy Framework (SPFClosedSender Policy Framework) or DomainKeys Identified Mail (DKIMClosedDomainKeys Identified Mail) validation checks pass. This means that if domain owners publish a DMARC DNS record, they must also publish a valid SPF or DKIM DNS record.

When you enable DMARC verification and the Clearswift Gateway detects a DMARC DNS record for the sender’s domain, the Clearswift Gateway automatically carries out SPF and DKIM checks, even if you have these checks disabled in the Clearswift Gateway. If either an SPF or DKIM check passes (and the DMARC domain alignment checks pass), then DMARC verification passes.

 

Clearswift recommends that you leave SPF and DKIM enabled in the Clearswift Gateway when DMARC is enabled. Although having SPF and DKIM disabled does not affect DMARC verification, having them enabled results in more reliable spoof detection for domains that publish SPF or DKIM records but not DMARC records.

When more than one Clearswift Gateway validation check triggers (for example, both DMARC and SPF trigger), the action taken by the Clearswift Gateway is the highest priority action assigned to the triggering validation checks. The priority order of actions is as follows (highest priority first):

 

If you whitelist a host for SPF or DKIM then whitelisting applies to the SPF or DKIM validation check only. Whitelisting a host for SPF or DKIM does not count as an SPF or DKIM pass for DMARC purposes.

If you whitelist a host for DMARC, then the Clearswift Gateway ignores (assumes they pass) SPF and DKIM results for DMARC purposes only.

See also...