Yes, you can rely solely on Sender Policy Framework (SPF) while implementing Domain-based Message Authentication, Reporting, and Conformance (DMARC). However, it is important to ensure you pass SPF and are aligning correctly. If SPF fails and you do not authenticate your email with DKIM, your DMARC result will be designated a failure.

Validity recommends that you authenticate all email using DKIM so that if SPF fails, as it does during a forwarding event, DMARC is still able to pass.