The myth of simultaneous double validation in DMARC

With the growing demands of major email providers regarding authentication, configuring DMARC has become a mandatory requirement to ensure that corporate emails do not end up in the spam folder. However, IT and operations departments often face a recurring technical question: is it strictly necessary for an email to pass both SPF and DKIM at the same time to comply with DMARC?

The short, direct answer is no. For an email to pass DMARC validation, it is enough for it to comply with one of the two.

DMARC control logic is designed under a principle of technical flexibility. The system evaluates the process through a conditional operational “OR” formula: it is enough for one of the two conditions to be strictly met (SPF validated and aligned, OR DKIM validated and aligned) for the email to be authenticated as legitimate and pass the destination server’s security filters.

Results matrix: Validation scenarios

To understand how these protocols interact on the mail server, the following table shows the different possible scenarios and their final DMARC outcome:

SPFDKIMSPF AlignmentDKIM AlignmentDMARC Result
PASSFAILYesPASS
FAILPASSYesPASS
PASSPASSYesYesPASS
PASSPASSNoYesPASS
PASSPASSYesNoPASS
PASSPASSNoNoFAIL
PASSFAILNoFAIL
FAILPASSNoFAIL
FAILFAILFAIL

As shown in the matrix, an email may technically fail SPF or DKIM, but if the other protocol is correct and at least one is aligned, DMARC will return a favourable result (PASS). Conversely, if a protocol passes the technical test but lacks alignment, DMARC will fail.

Exceptional cases

The RFC 7489 standard (which defines DMARC) does exactly two things:

  • It defines the rules for calculating whether an email passes or fails.
  • It allows the domain owner to suggest what to do in case of failure (p=none, quarantine, or reject).

However, the standard makes it very clear that the receiving server has the final say. Microsoft, Google, Proofpoint or any system administrator may apply local policies that are stricter (or more lenient) than the standard itself, such as requiring both DKIM and SPF to pass at the same time.

If the destination server’s heuristic filter decides that an email is dangerous because the DKIM signature is corrupt, it will happily ignore the fact that SPF passes and throw the email in the bin to protect its user. The standard proposes the baseline, but the owner of the destination mailbox imposes the law.

What exactly does it mean for a protocol to be “aligned”?

DMARC introduces an additional security layer because it does not settle for SPF or DKIM records passing the basic technical test. It also requires that the domain validated by these protocols match (or be an authorised subdomain) the visible domain the user sees in the message header, specifically in the From: field.

Below, we analyse how alignment works in each case:

1. SPF alignment

Imagine your email shows the following address in the inbox: From: invoices@company.com. If the sending SMTP server uses the technical return path MAIL FROM: bounces@company.com in the hidden mail commands, and the SPF record for company.com authorises that server’s IP, SPF passes the test and, furthermore, DMARC considers it aligned because both domains match.

However, if an external provider uses its own technical return path (MAIL FROM: bounces@email-provider.com), even though the provider’s SPF record is technically correct and returns a positive result (PASS), DMARC will mark a failure due to lack of alignment, since the provider’s domain does not match yours.

2. DKIM alignment

The logic is identical for the cryptographic signature. If the email header is digitally signed and the domain parameter of the signature is d=company.com (or a permitted, directly related subdomain such as d=mail.company.com), and the destination server’s public key validates the signature correctly, DMARC will consider DKIM to be perfectly aligned.

Practical recommendation for your company’s infrastructure

Although DMARC’s mathematical theory certifies that a single aligned protocol is sufficient, best practice in production environments and corporate communications is to always configure both SPF and DKIM simultaneously and correctly.

Implementing double validation provides two strategic advantages for deliverability:

  • Greater resilience to forwarding: When an end user automatically forwards an email to another account (for example, from a corporate account to their personal Gmail account), the intermediate server’s IP changes. This immediately breaks SPF validation. If the email has an aligned DKIM signature, the message will keep its DMARC authentication intact as the signature embedded in the document itself travels with it.
  • Sender domain reputation: Having both security layers drastically reduces the likelihood that your legitimate campaigns or communications will trigger false positives in the antispam filters of demanding providers such as Microsoft or Google, ensuring fast, smooth communication without friction.

Frequently asked questions (FAQs)

Is it safe to operate a DMARC policy based on SPF alone?
It is not recommended. Relying solely on SPF exposes your infrastructure to delivery failures if your messages are forwarded or processed by mailing lists, as the source IP will change during transit and DMARC will fail when SPF breaks.

What happens if my DMARC record returns a FAIL result?
It will depend on the policy configured in your DNS record (p=none, p=quarantine or p=reject). If you are in none mode, the email will be delivered but the error will be logged in your weekly reports; if you are in reject mode, the destination server will block the email immediately, preventing the recipient from receiving it.

Do eEvidence tools automate these configurations?
Yes. By integrating professional communication and signature solutions, trusted infrastructure platforms provide precise instructions for configuring SPF records and DKIM keys in your DNS selectors in an aligned manner. This ensures that your notifications and emails generate unalterable evidence with 100% DMARC compliance.


Conclusion

DMARC’s technical design aims to protect companies’ identity without blocking legitimate internet traffic. Understanding that simultaneous approval of SPF and DKIM is not required, but that they operate as complementary channels, allows systems teams to diagnose and resolve delivery problems more quickly.

The golden rule for guaranteeing maximum legal security and commercial deliverability is clear: always configure both protocols seeking perfect alignment with your corporate domain. In this way, your organisation will gain immunity against identity spoofing attacks (phishing) and maintain an impeccable reputation with all your clients’ mail servers.


Ready to get started?

Contact us to share your business project or register now to start trying our services today