Answer to "Can I set up DMARC without SPF?" is wrong

[link2xt]

If you set up DMARC without SPF, it's like the security guard is missing one of its tools. It can still use DKIM to check emails, but it won't be as effective.

DMARC fails if both SPF and DKIM fail, so if you set up DMARC without SPF, DMARC will always fail if DKIM fails. This will result in more failures than if you set up SPF and DKIM, so it is "more effective".

SPF is a legacy mechanism relying only on source IP addresses and no cryptography, it offers similar security to TCP wrappers. Making SPF always fail and relying only on DKIM is more secure, the only reason to use SPF is when you care about deliverability more than authentication of emails.

If there is no SPF policy, SPF will produce a "none" result and not "pass". DMARC passes if either DKIM or SPF produces a "pass" result, so if you don't setup SPF at all it is more secure according to DMARC RFC.

[nicanorflavier]

Hi there, thanks for your review there.
What would you suggest in this case to improve the content?
Would you want to raise a PR so I can see your changes?
If all good then I can merge that to main branch and you listed as contributor, cheers.