How can a phishing email pass SPF and DKIM authentication checks?
Michael Ko
Co-founder & CEO, Suped
Published 13 Aug 2025
Updated 19 Aug 2025
9 min read
It's a frustrating and often perplexing scenario: a phishing email bypasses the very security measures designed to stop it. We rely on protocols like SPF and DKIM to verify senders and ensure email authenticity, so when a malicious message sails through with PASS results, it raises serious questions about our defenses. I've seen this happen, and it's a stark reminder that email security is a multi-layered challenge.
The core purpose of email authentication is to prevent domain spoofing, where attackers send emails appearing to originate from a legitimate source. Sender Policy Framework (SPF) checks if the sending IP address is authorized by the domain owner. DomainKeys Identified Mail (DKIM) adds a digital signature to the email, allowing recipient servers to verify that the message hasn't been tampered with and truly came from the signed domain. These are powerful tools, but they aren't foolproof on their own.
Understanding how these sophisticated phishing attempts manage to bypass SPF and DKIM requires a deeper dive into their mechanics and common attack vectors. It often comes down to clever exploitation of authentication nuances or relying on the absence of a comprehensive email security strategy, particularly regarding DMARC.
To grasp how a phishing email can slip past SPF and DKIM, it helps to understand their individual roles. SPF (Sender Policy Framework) is a DNS TXT record that lists all IP addresses authorized to send email on behalf of a domain. When an email arrives, the recipient server checks the sending IP against this list. If the IP isn't on the list, the SPF check typically fails, signaling a potential spoofing attempt. For more details on how these standards work, see our guide on how email authentication standards work.
On the other hand, DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that an email's content hasn't been altered in transit and that it genuinely originates from the domain it claims to be from. The sending server attaches a digital signature to the email header, which the recipient server verifies using a public key published in the sender's DNS records. If the signature doesn't match, or if the email content has been changed, the DKIM check fails.
These protocols, while foundational, don't necessarily prevent all forms of phishing. Their effectiveness is heavily dependent on proper configuration and, crucially, on the additional layer of protection provided by DMARC. Without DMARC, even if SPF or DKIM checks fail, recipient servers don't have explicit instructions on how to handle the message, and it might still land in an inbox.
How phishing emails can pass authentication
One of the most concerning ways a phishing email can pass SPF and DKIM is through compromised domains or accounts. If an attacker gains unauthorized access to a legitimate sending infrastructure or an email account, they can send emails that genuinely originate from an authorized source. In such cases, the SPF record will validate the sending IP, and the DKIM signature will be valid because the attacker is using the real infrastructure or keys. This is a primary method for how spammers send emails from real addresses.
Another vulnerability arises from weak DMARC policies. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the protocol that instructs receiving mail servers on how to handle emails that fail SPF or DKIM checks, based on the domain in the From header. If a domain has a DMARC policy set to p=none, it means the domain owner is only collecting reports and not instructing recipients to quarantine or reject unauthenticated emails. In such cases, even if an attacker spoofs the domain and SPF/DKIM are bypassed (e.g., via forwarding, as we'll discuss), the lack of a strong DMARC policy allows the email to proceed. For more on this, check out our guide on simple DMARC examples.
Email forwarding can also create scenarios where a seemingly legitimate email might fail SPF but pass DKIM (or vice versa), leading to confusion. When an email is forwarded, the originating IP address changes, which can break the SPF check for the original sender. However, if the DKIM signature remains intact, the email might still pass DKIM. ARC (Authenticated Received Chain) helps to preserve authentication results across forwarding hops, but not all systems fully implement it. You can learn more about how email forwarding affects validation.
Understanding a compromised domain scenario
Consider the phishing email I encountered that appeared to be from Google'sSpamhaus service. The headers showed both SPF and DKIM passing for the sending domain aedu.com. This implies that the attackers either successfully compromised the aedu.com domain itself, allowing them to configure DNS records and send emails through authorized servers, or they leveraged a legitimate but vulnerable email service provider associated with that domain. This is a prime example of how email authentication on its own cannot prevent every attack, especially when the attacker controls the authenticated sending infrastructure.
Beyond authentication: The role of DMARC alignment
While SPF and DKIM verify the sending server and message integrity, DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the critical third pillar that dictates what happens when authentication fails. Crucially, DMARC also introduces the concept of alignment. For DMARC to pass, either the SPF-authenticated domain or the DKIM-signed domain must align (match) the domain in the From header that users see. This alignment is key to preventing sophisticated spoofing where SPF and DKIM might pass for a different domain.
For example, an attacker might send an email where the Mail From (envelope sender) domain passes SPF, and the DKIM signature is valid for a domain they control. However, if the From header (the visible sender) is a spoofed domain that doesn't align with either of these, then DMARC should fail. This is why it's possible for DMARC authentication to fail even when SPF and DKIM pass their individual checks.
In the aedu.com example from my experience, the DMARC check also passed. This indicates that the phishing domain was likely fully under the attacker's control, with correctly configured SPF, DKIM, and DMARC records, including proper alignment between the From header and the authenticated domains. This highlights that simply checking for SPF and DKIM pass isn't enough; the overall DMARC result and the policy enforcement are crucial.
SPF/DKIM pass without DMARC
Verification: Sending server IP is authorized (SPF) or message is signed (DKIM).
From header: Can be spoofed if the authenticated domain doesn't match the visible domain.
Outcome: Email may still reach the inbox, allowing phishing to succeed.
DMARC with strong policy
Verification: SPF or DKIM must pass, and align with the From header.
From header: Must align with the authenticated domain, preventing visual spoofing.
Outcome: Unauthenticated emails are quarantined or rejected, protecting recipients.
Protecting against sophisticated phishing
The most effective defense against phishing emails passing authentication checks lies in robust DMARC implementation. Moving beyond a p=none policy to p=quarantine or p=reject is crucial. A p=quarantine policy tells recipient servers to place emails failing DMARC into the spam or junk folder, while p=reject instructs them to block such emails entirely. This prevents messages, even those that might technically pass SPF/DKIM via a compromised domain, from reaching the inbox if they fail DMARC alignment.
Regularly monitoring your DMARC reports is also essential. These reports provide invaluable insights into who is sending email on behalf of your domain, including legitimate third-party senders and potential unauthorized senders. By analyzing these reports, you can identify sources of legitimate email that might not be authenticating correctly and, more importantly, detect malicious activity targeting your domain. This proactive approach helps in detecting abuse even if a phishing email manages to sneak through initial authentication layers. Our DMARC monitoring service can assist in this.
Finally, user education remains a vital component of any robust anti-phishing strategy. Even with perfect technical controls, a well-crafted phishing email can still trick a user. Training employees to recognize phishing indicators, report suspicious emails, and be cautious of unsolicited requests for information is paramount. This human firewall, combined with strong email authentication and monitoring, provides the best defense against evolving phishing threats.
Example DMARC policy
This DMARC record instructs recipient servers to quarantine 100% of emails that fail DMARC checks, and to send aggregate reports to dmarc-reports@yourdomain.com.
For Microsoft Defender for Office 365, robust DMARC policies are an integral part of their anti-spoofing and anti-phishing capabilities.
Views from the trenches
Best practices
Implement DMARC with a strong policy (p=quarantine or p=reject) to explicitly tell recipient servers how to handle unauthenticated emails, ensuring that even if SPF or DKIM checks are passed through a compromised service, the email is still flagged if DMARC alignment fails.
Regularly monitor your DMARC reports to identify all legitimate sending sources for your domain and detect any unauthorized or suspicious email activity, giving you crucial visibility into potential abuse and allowing for quick action.
Educate your users and employees on recognizing phishing attempts, regardless of authentication status, emphasizing red flags like unusual sender addresses, suspicious links, or urgent demands, as human vigilance remains a critical defense layer.
Ensure all third-party email services, marketing platforms, and transactional email providers are properly configured to pass SPF and DKIM for your domain, and that their 'From' header alignment is correct for DMARC.
Common pitfalls
Leaving DMARC policy at 'p=none' which only monitors email authentication failures without taking any action, allowing phishing emails that spoof your domain to potentially reach inboxes despite failing SPF or DKIM.
Failing to review DMARC aggregate reports regularly, which can lead to missed insights into unauthorized email senders impersonating your domain, or legitimate senders that are not properly authenticated.
Over-reliance solely on SPF and DKIM without DMARC, as these protocols alone do not prevent 'From' header spoofing effectively, especially in scenarios involving email forwarding or subdomain abuse.
Ignoring warnings from DMARC reports about SPF or DKIM misconfigurations, which can inadvertently cause legitimate emails to be flagged as spam and hinder your ability to identify true phishing threats.
Expert tips
Focus on domain alignment: DMARC's true power lies in aligning the 'From' header with the authenticated domains, making it harder for phishers to spoof your visible sender identity.
Layer security measures: Combine DMARC with other email security solutions like advanced threat protection (ATP) and endpoint security to create a comprehensive defense against evolving phishing techniques.
Start with DMARC 'p=none' for monitoring, then gradually transition to 'quarantine' and 'reject' after thoroughly analyzing reports to avoid accidentally blocking legitimate email traffic.
Consider BIMI: Beyond authentication, BIMI (Brand Indicators for Message Identification) allows you to display your brand logo in supported inboxes, adding a visual trust indicator for your legitimate emails.
Marketer view
Marketer from Email Geeks says they were surprised when a phishing email passed all authentication checks. It's a reminder that even with SPF and DKIM, malicious messages can sometimes slip through.
2020-02-01 - Email Geeks
Marketer view
Marketer from Email Geeks mentioned receiving a phishing email that claimed to be from Spamhaus and inquired how it could have bypassed their authentication protocols.
2020-02-02 - Email Geeks
Strengthening your email defenses
The experience of receiving a phishing email that passes SPF and DKIM is a stark reminder that email security is an ever-evolving field. While SPF and DKIM are fundamental authentication protocols, they are not, by themselves, sufficient to fully protect against all forms of email fraud.
The most effective defense involves implementing a robust DMARC policy with alignment requirements, instructing recipient mail servers to quarantine or reject unauthenticated emails. This, combined with diligent DMARC report monitoring and ongoing user education, forms a comprehensive shield against increasingly sophisticated phishing attacks.
Remember, email deliverability and security go hand-in-hand. By understanding these nuances and implementing best practices, you can significantly enhance your domain's protection and prevent your brand from being used in malicious campaigns.
Google'sSpamhaus service. The headers showed both SPF and DKIM passing for the sending domain aedu.com. This implies that the attackers either successfully compromised the aedu.com domain itself, allowing them to configure DNS records and send emails through authorized servers, or they leveraged a legitimate but vulnerable email service provider associated with that domain. This is a prime example of how email authentication on its own cannot prevent every attack, especially when the attacker controls the authenticated sending infrastructure.
Microsoft Defender for Office 365, robust DMARC policies are an integral part of their anti-spoofing and anti-phishing capabilities.
