0

I always thought that to authenticate email we needed both SPF and DKIM (and DMARC). But email is confusing and recently I found myself asking why we can't do with just SPF or DKIM. I then discovered that the problem with using just SPF is that automatic forwarding will break (at least if we check alignment with the From header).

But why can't we use just DKIM? Especially since apparently DMARC succeeds if either SPF or DKIM succeeds. Is there any added value to also deploying SPF?

This answer mentions replay prevention. Is this a valid reason? And still: what about automatic forwarding?

SWdV
  • 179
  • 11
  • @SteffenUllrich Partially; you mention the security of outdated clients, which is indeed an important reason, but say that every client would be up-to-date, what would then be the reasons to still deploy SPF, if any? – SWdV Feb 11 '20 at 16:06
  • *"... you mention the security of outdated clients ..."* - Do I? I'm not aware of this. But anyway, since I think that this is basically the same question as the other one it would be more useful to discuss details of my answer there and not here. – Steffen Ullrich Feb 11 '20 at 16:11
  • @SteffenUllrich I see clients that don't implement DKIM/DMARC as outdated, but this is more of a terminology thing. So are you saying that these clients are the only reason to implement SPF, and there are no benefits for clients that support DKIM & DMARC? – SWdV Feb 11 '20 at 16:25
  • Again: *"... since I think that this is basically the same question as the other one it would be more useful to discuss details of my answer there and not here."* – Steffen Ullrich Feb 11 '20 at 17:39

0 Answers0