1. Help Center
  2. FAQs
  3. Relationship between SPF DKIM DMARC

DMARC needs either SPF or DKIM to pass authentication.

That's correct. In order for a DMARC to pass, an email message must either have a passing SPF or a DKIM result, but not both. This is because SPF and DKIM serve different purposes and provide different types of authentication. In some cases, SPF alignment for DMARC will always fail, even if the email message is authentic. This can happen when the email is sent through an email service provider (ESP) such as Hubspot, Mailchimp or ActiveCampaign that uses a different domain for the Return-Path than the domain used in the From header. Taking that into account, having just DKIM applied on the ESPs mentioned above will mark DMARC as pass, so it won't cause any blockage or false-positive cases on legitimate email flows.