Summary
Phishing emails can bypass SPF and DKIM authentication checks through a variety of means. SPF and DKIM verify the origin of an email, not its content or intent, so if a phisher controls the sending domain and properly configures SPF/DKIM records, uses a compromised account, leverages 'internal phishing' within an organization, or employs look-alike domains, the emails can pass authentication. DMARC can help, but its absence or misconfiguration, as well as a poor domain reputation, can further enable successful phishing attacks. Essentially, authentication alone is insufficient for preventing phishing; broader security measures are necessary.
Key findings
- Domain Control: Attackers who control the sending domain can configure SPF and DKIM to pass authentication.
- Compromised Accounts: Emails from compromised accounts pass authentication since they originate from a legitimate source.
- Internal Phishing: Emails originating from within an organization can bypass checks if internal systems are compromised.
- Look-Alike Domains: Subtly different domains that mimic legitimate ones can bypass authentication controls.
- Authentication vs. Content: SPF and DKIM only verify the source, not the content, leaving room for malicious intent.
- DMARC's Role: DMARC can help, but is insufficient if the sending infrastructure is compromised or is not properly set up.
- Domain Reputation: A poor domain reputation increases the likelihood of emails being flagged as spam, even with SPF/DKIM in place.
Key considerations
- Layered Security: Implement layered security measures beyond SPF, DKIM, and DMARC, including content filtering, behavioral analysis, and user education.
- Strong Authentication Setup: Configure DMARC properly to instruct recipient servers on how to handle unauthenticated emails.
- Account Security: Use Multi-Factor Authentication and monitoring to prevent account compromise.
- Domain Monitoring: Monitor for look-alike domains and implement domain protection services.
- User Awareness: Educate users to recognize phishing emails that bypass standard authentication checks.
- Reputation Management: Maintain a positive domain reputation by adhering to email best practices.
What email marketers say
9 marketer opinions
Phishing emails can bypass SPF and DKIM authentication checks through several methods. These include the phisher controlling the sending domain and correctly configuring SPF and DKIM, compromising a legitimate email account, using 'internal phishing' from within an organization where SPF and DKIM pass, or utilizing look-alike domains. While SPF and DKIM authenticate the sender's legitimacy, they don't verify the email's content or intent. The absence of DMARC or its improper configuration also contributes to successful phishing attacks.
Key opinions
- Control of Sending Domain: Attackers controlling the sending domain can configure SPF and DKIM records to pass authentication checks, even for phishing emails.
- Compromised Accounts: Phishing emails sent from compromised legitimate accounts will pass SPF and DKIM checks because they originate from a trusted source.
- Internal Phishing: In internal phishing scenarios, emails originate from the organization's own servers, causing SPF and DKIM to pass, making detection more challenging.
- Look-alike Domains: Attackers register domains similar to legitimate brands, tricking recipients and bypassing authentication controls.
- Authentication vs. Content: SPF and DKIM only verify the sender's authenticity, not the content or intent of the email, leaving room for phishing attacks.
- DMARC Absence/Misconfiguration: The absence or improper configuration of DMARC increases the likelihood of phishing emails successfully bypassing authentication.
Key considerations
- Beyond Authentication: Email security strategies should extend beyond SPF, DKIM, and DMARC to include content filtering, behavioral analysis, and user education.
- DMARC Implementation: Properly configure DMARC to instruct receiving mail servers on how to handle unauthenticated emails, such as rejecting or quarantining them.
- Account Security: Implement robust account security measures, such as multi-factor authentication, to prevent account compromise.
- Domain Monitoring: Monitor for look-alike domains and implement domain protection services to prevent attackers from registering similar domains.
- User Training: Educate users on how to identify phishing emails, including those that pass authentication checks, to reduce the risk of successful attacks.
Marketer view
Marketer from Email Geeks shares the authentication results showing DKIM and SPF passed.
31 May 2023 - Email Geeks
Marketer view
Email marketer from Proofpoint explains that impersonation attacks work by sending a message that appears to be from someone the recipient knows or trusts. To maximize the chance that the message will be acted on, attackers register domains very similar to those of well-known brands. This allows them to bypass traditional email authentication controls such as SPF, DKIM and DMARC.
7 Dec 2023 - Proofpoint
What the experts say
2 expert opinions
Phishing emails can bypass SPF and DKIM authentication because these mechanisms primarily verify the origin of the email, not its content or intent. A phisher can compromise legitimate accounts or utilize look-alike domains with proper SPF and DKIM configurations to send emails that pass authentication. Domain reputation also plays a role; a good reputation increases the likelihood of emails passing through, whereas a bad reputation, especially without proper authentication setup, can cause emails to fail.
Key opinions
- Authentication vs. Intent: SPF and DKIM only authenticate the origin of the email, not the content or intent, leaving room for phishing.
- Compromised Accounts/Look-alike Domains: Phishers can compromise legitimate accounts or use look-alike domains with correct SPF/DKIM setup to bypass checks.
- Domain Reputation: Domain reputation is a factor; good reputation increases the likelihood of emails passing, while a bad reputation can cause failure, especially without proper setup.
Key considerations
- Beyond Authentication: Organizations should implement additional security measures beyond SPF and DKIM, such as content filtering and behavioral analysis.
- Reputation Management: Maintaining a positive domain reputation is crucial for deliverability and preventing emails from being flagged as spam.
- Account Security: Implement strong account security measures to prevent account compromise and subsequent phishing attacks.
Expert view
Expert from Word to the Wise (Laura Atkins) explains that Domain Reputation can be a factor with authentication. If you have set everything up correctly, SPF, DKIM, DMARC, etc., and have a good reputation, the likelihood is that you'll go through but if you don't have the above set up, and you have a bad reputation, the email will likely fail.
10 Mar 2023 - Word to the Wise
Expert view
Expert from Spam Resource (John Levine) explains that SPF and DKIM only authenticate the origin of the email, not the content or intent. A phisher who compromises a legitimate email account or uses a look-alike domain with properly configured SPF and DKIM can send emails that pass authentication checks, even if the content is malicious.
7 Jan 2025 - Spam Resource
What the documentation says
3 technical articles
Phishing emails can bypass SPF and DKIM checks because these authentication methods primarily verify the sender's authorization to send emails on behalf of a domain, not the content or intent of the email itself. This can occur when a phisher uses an authorized server, compromises a legitimate account, or gains control of a sender's email system. While DMARC can help mitigate the impact, it cannot completely prevent such attacks when legitimate systems are compromised.
Key findings
- Authorized Server Usage: Phishers using a server authorized to send email for a domain can pass SPF checks, even with fraudulent emails.
- Compromised Accounts: Phishing emails sent from compromised accounts pass SPF, DKIM, and potentially DMARC checks because they originate from a legitimate source.
- Control of Sender System: Gaining control of a legitimate sender's email system allows phishers to send emails that pass SPF and DKIM due to using authorized infrastructure.
- DMARC Limitations: DMARC can mitigate, but not entirely prevent, phishing attacks when legitimate systems are compromised and used for malicious purposes.
Key considerations
- Enhanced Security Measures: Organizations should implement security measures beyond SPF, DKIM, and DMARC to detect and prevent phishing, such as behavioral analysis and content filtering.
- Account Protection: Focus on securing user accounts to prevent compromise and subsequent use for phishing attacks.
- System Monitoring: Implement robust system monitoring to detect and respond to unauthorized access or control of email systems.
- DMARC Configuration: Ensure DMARC is properly configured to provide instructions to receiving mail servers on how to handle emails that fail authentication checks.
Technical article
Documentation from DMARC.org answers that if a phisher gains control of a legitimate sender's email system, they can send emails that pass SPF and DKIM because they're using the actual authorized infrastructure. DMARC can help mitigate the impact, but it can't completely prevent it if the original systems are compromised.
12 May 2024 - DMARC.org
Technical article
Documentation from Microsoft Learn explains that phishing emails can pass authentication if a compromised account is used to send the email. Since the email is technically coming from the legitimate account, it passes SPF/DKIM/DMARC checks, making it difficult to detect based on authentication alone.
18 May 2023 - Microsoft Learn
Can a competitor damage my domain reputation by sending spam with links to my site?
Can email signatures, especially via Exclaimer, cause SPF or DKIM failures and impact email delivery?
Do Yahoo and Gmail require DMARC authentication for senders?
How can email senders and users prevent and identify phishing emails?
How can I prevent brand and sender profile impersonation in emails and what actions can I take?
How can I use DMARC to prevent spammers from using my domain?
How can normal people identify phishing emails when services rewrite headers?
How do bounces and phishing attacks affect email deliverability and domain reputation?
