Does SPF provide benefits along with DKIM+DMARC?

I have a domain I send emails from via Mailchimp and Google. I've set up DKIM for both of them and added a DMARC record too (for testing atm). I collect reports for DMARC failures and the overwhelming majority of these reports are for SPF fails.

In my understanding, SPF is an allowlist of IPs/hosts that can send emails, and DKIM is a key that the sender must use to sign the emails. To me, it seems like DKIM is better for spoofing protection.

Everywhere I search I only see that SPF is essential for email protection, but I can't see why in my case. Since DKIM is setup, only Mailchimp and Google can send emails, and DMARC will make recipient rejects emails from anywhere else. Restricting IP addresses does not seem to add anything to this mix.

Is it OK to disable SPF with +all in this case? What is the scenario where I'm less protected if I do that?

SPF, DKIM, and DMARC all work together to increase trust of your domain and delivery of your email to inboxes. But, the important thing to remember is that the recipient email system is free to handle your e-mails in any way they want. So, it is not guaranteed that any one or more of these mechanisms are implemented properly.

The biggest thing about SPF and DKIM alone, is that it does nothing to insure that the from header is authenticated. This is the e-mail address that your recipient sees in their mail client. So, they are not effective for determining if what the end user sees is authentic.

For SPF, it only checks the domain specified in the return-path header (aka Envelope From) in the SMTP message. This isn't an address the end-user sees.

For DKIM, it only cares about the domain specified in the d= parameter in the dkim-signature header. Again, the end-user does not see this.

DMARC fixes this. DMARC requires "alignment" to be correct on either SPF or DKIM.

• For SPF to be in "alignment" the domain in the from header must match the domain in the return-path header. This is rarely possible when sending e-mail through third party bulk mail providers because the return-path is where bounces, and complaints go that the provider tracks and is often an email address managed by the third party. This is why you see SPF failures in your DMARC reports.
• For DKIM, the domain specified in the d= field in the dkim-signature header must match the domain in the from header. This can be accomplished by making sure the third party sender (i.e. Mailchimp) is properly configured for DKIM signing and you have added the appropriate DNS records to your domain.

This "alignment" check ensures that what the end-user sees in their e-mail client is authenticated by either SPF or DKIM. If a passing SPF record or DKIM record is in alignment with the from header (what the end user sees), the message passes DMARC. Otherwise, it fails DMARC.

Note that these protocols are only scrutinizing the “domain name” portion of the email address. The portion after the @ sign. None of these check the validity of the username portion. The portion before the @ sign.

So, you can see that both SPF and DKIM are necessary for DMARC to be fully functional. All 3 are necessary for proper mail flow. And, not all recipient email systems implement the standards in the same way or correctly.

A huge frustration for systems administrators is that a ton of senders still have not configured these 3 standards properly when sending e-mail. And, sadly, rarely are the above basic principles properly explained anywhere.

Yes, as not all server check the DKIM/DMARC sadly on reception, but SPF checking is more integrated/deployed currently.

An example is On-Prem Exchange's server. SPF record can be checked with the AntiSpam ruleset, with the Edge Transport Role in later version, but the DKIM/DMARC need a third party integration to enable it.

Removing your SPF record in such state can make you open to spoofed email to organisations that are in such a scenario.

While only authorized servers can sign with DKIM, there is nothing in the DKIM standard that can inform a receiving server that messages from your domain MUST be signed with DKIM. From a mail standards perspective, a receiving server cannot discern authorized sending servers from unauthorized sending servers.

The eventual problem that will arise is for receiving servers that do not use DMARC tests your domain will have a high probability of being blacklisted as spammers discover it is trivial to spoof.