How can a phishing email pass SPF and DKIM authentication checks?

Key findings

• Authentication scope: SPF and DKIM primarily verify the technical sender, such as the envelope sender for SPF or the signing domain for DKIM. This technical sender might not always perfectly align with the visible From header (RFC5322.From) that users see.
• Attacker control: Phishers can register new, deceptive domains (often lookalike domains) or compromise existing ones. They can then properly configure SPF and DKIM records for these controlled domains, making their malicious emails pass authentication checks for that specific domain.
• Lack of DMARC alignment: Without DMARC (Domain-based Message Authentication, Reporting, and Conformance), SPF and DKIM alone do not enforce alignment between the authenticated domain and the From header domain. This means an email can pass SPF or DKIM on a technical domain (e.g., a sending service's domain) while spoofing your organizational domain in the From field.
• ARC's role: Authenticated Received Chain (ARC) can preserve authentication results across message relays, but it doesn't inherently stop phishing; it merely conveys the original authentication status, which could have been valid for a malicious domain.

Key considerations

• DMARC implementation: Implementing a strict DMARC policy (p=quarantine or p=reject) is crucial to enforce alignment and prevent spoofing of your primary domain.
• Continuous monitoring: Regular monitoring of DMARC reports is essential to detect unauthorized sending and potential brand impersonation attempts, even those that pass SPF or DKIM initially.
• User education: Training users to recognize phishing tactics, even for emails that appear authenticated, remains a critical defense layer, as highlighted in preventing phishing warnings in Gmail.
• Layered security: Relying solely on SPF and DKIM is insufficient. A multi-layered security approach, including DMARC and advanced threat detection, is necessary to mitigate phishing risks effectively.

Key opinions

• Initial skepticism: Many marketers express immediate skepticism when receiving unexpected or unusual emails, even if they appear to originate from familiar, reputable brands like Spamhaus.
• Authentication not foolproof: There's a common understanding that simply passing SPF and DKIM authentication does not automatically equate to a legitimate email, especially in the face of sophisticated phishing attempts.
• Focus on headers: Marketers often resort to checking raw email headers for deeper insights and a clearer picture of authentication results, as discussed in troubleshooting Office 365 authentication failures.
• DMARC necessity: Many marketers acknowledge that DMARC adds a crucial layer of protection, particularly through its alignment checks, that SPF and DKIM alone cannot provide against certain types of spoofing.
• Suspected compromise: When phishing emails surprisingly pass authentication, marketers often suspect compromised accounts, malicious subdomains, or completely bogus domains controlled by the attackers.

Key considerations

• User awareness: Marketers emphasize the importance of educating their audience about phishing techniques and how to identify suspicious emails, regardless of whether they appear to pass authentication. For example, Higher Logic highlights that email authentication helps maintain brand reputation, but user vigilance is still key.
• Brand protection: Maintaining strong email authentication helps protect brand reputation by preventing malicious actors from effectively spoofing the brand's primary domain.
• Proactive monitoring: Regular checks of email deliverability and authentication records are seen as vital for catching issues early and maintaining a clean sending reputation, particularly when monitoring DMARC success rates.
• Holistic approach: A comprehensive strategy combining robust authentication (SPF, DKIM, DMARC), content filtering, and continuous user education is recommended to combat sophisticated phishing attempts effectively.

Key opinions

• Domain control: Experts confirm that if an attacker controls a domain (even a newly registered, deceptive one), they can configure SPF and DKIM records properly for that domain, allowing their phishing emails to pass authentication checks on a technical level.
• Alignment is key: They stress that SPF and DKIM, without DMARC's alignment check, do not inherently protect the visible From: header domain from spoofing. This is why DMARC authentication failures can still occur even if SPF and DKIM pass.
• Legitimate infrastructure abuse: Some sophisticated phishing attacks exploit legitimate, but vulnerable, sending infrastructure or compromised accounts (e.g., cloud services) to send emails that pass authentication because the sending domain is technically authorized.
• Lookalike domains: Experts frequently note the use of lookalike domains by phishers to trick recipients into believing an email is from a trusted source, even if the domain is slightly altered.
• Layered defense: Authentication protocols are part of a larger security ecosystem. No single protocol guarantees complete protection against all forms of phishing. Supplementary measures, like content filtering, are vital.

Key considerations

• Robust DMARC policy: Experts strongly advise moving DMARC policies beyond p=none to quarantine or reject to enforce sender authenticity and prevent direct domain spoofing.
• Subdomain management: Careful management and monitoring of subdomains are necessary, as these can be exploited in phishing campaigns if their authentication is not properly configured or aligned, especially concerning domain alignment best practices.
• Third-party sending: When using third-party senders for email, ensuring they properly handle SPF, DKIM, and DMARC alignment for your domain is critical to prevent spoofing by bad actors.
• Threat intelligence: Leveraging threat intelligence feeds and blocklists (or blacklists) helps identify and block known malicious senders, even if they manage to pass basic authentication checks.

Key findings

• SPF verification: SPF records verify if the sending IP address is authorized to send email on behalf of the domain specified in the Return-Path (envelope sender) header.
• DKIM signature: DKIM uses cryptographic signatures to ensure that the email content has not been tampered with in transit and verifies the sending domain's authorization to send the email, often through a DKIM selector.
• DMARC alignment: DMARC unifies SPF and DKIM results and, crucially, requires that the domain in the From: header (RFC5322.From) aligns with the SPF or DKIM authenticated domain for a 'pass' result.
• Exploitable gaps: Without DMARC, an email can pass SPF or DKIM if the mail server or signing domain is authorized, even if the From: header domain is spoofed. This is a common method for phishing emails to slip through.

Key considerations

• Full authentication stack: The combined implementation of SPF, DKIM, and DMARC is the recommended standard for comprehensive email authentication and combating spoofing effectively, as outlined in Mailgun's guide.
• Policy enforcement: DMARC policies (e.g., p=quarantine, p=reject) are crucial for instructing receiving mail servers on how to handle emails that fail DMARC alignment, proactively blocking or quarantining malicious messages.
• Reporting data: DMARC aggregate and forensic reports provide valuable insights into email authentication failures, including potential phishing attempts, enabling domain owners to identify and rectify issues, and helping understand why emails fail at Microsoft.
• Domain ownership: Technical documentation implicitly warns that attackers who gain control of a domain (or create a convincing lookalike) can publish their own valid SPF and DKIM records, thereby allowing them to pass authentication for that domain.