How can a phishing email pass SPF and DKIM authentication checks?
Summary
What email marketers say9Marketer opinions
Marketer from Email Geeks shares the authentication results showing DKIM and SPF passed.
Email marketer from Proofpoint explains that impersonation attacks work by sending a message that appears to be from someone the recipient knows or trusts. To maximize the chance that the message will be acted on, attackers register domains very similar to those of well-known brands. This allows them to bypass traditional email authentication controls such as SPF, DKIM and DMARC.
Email marketer from StackExchange user 'domainexpert' explains that if a phisher is sending from an authorized IP address according to the SPF record of the sending domain, and the DKIM signature is valid, the email will pass authentication checks, regardless of its malicious intent. This is because SPF and DKIM only verify the sender's legitimacy, not the content of the email.
Marketer from Email Geeks shares the details of a Spamhaus phishing email they received, including the subject, sender, and a link to download instructions.
Email marketer from Reddit user u/mailauthentication explains that a phishing email can pass SPF and DKIM if the attacker controls the sending domain. If the domain's SPF and DKIM records are properly configured by the attacker, the receiving mail server will authenticate the email as legitimate, even though it's a phishing attempt.
Marketer from Email Geeks notes the absence of DMARC and suggests the attacker may control the domain.
Email marketer from ValiMail explains that in 'internal phishing' scenarios (emails sent from within your own organization), SPF and DKIM will likely pass because the emails are originating from your own servers and are signed correctly. DMARC can provide some protection, but often it's configured in a way that still allows these emails to be delivered.
Email marketer from Email Vendor Guide explains that attackers will use domains that appear legitimate at first glance but contain subtle differences that go unnoticed by the casual user. SPF/DKIM/DMARC are unlikely to help in this scenario as the attacker owns the domain they are sending from, and can configure these standards as they wish.
Marketer from Email Geeks questions why SPF, DKIM, and DMARC didn't prevent the phishing email.
What the experts say2Expert opinions
Expert from Word to the Wise (Laura Atkins) explains that Domain Reputation can be a factor with authentication. If you have set everything up correctly, SPF, DKIM, DMARC, etc., and have a good reputation, the likelihood is that you'll go through but if you don't have the above set up, and you have a bad reputation, the email will likely fail.
Expert from Spam Resource (John Levine) explains that SPF and DKIM only authenticate the origin of the email, not the content or intent. A phisher who compromises a legitimate email account or uses a look-alike domain with properly configured SPF and DKIM can send emails that pass authentication checks, even if the content is malicious.
What the documentation says3Technical articles
Documentation from DMARC.org answers that if a phisher gains control of a legitimate sender's email system, they can send emails that pass SPF and DKIM because they're using the actual authorized infrastructure. DMARC can help mitigate the impact, but it can't completely prevent it if the original systems are compromised.
Documentation from Microsoft Learn explains that phishing emails can pass authentication if a compromised account is used to send the email. Since the email is technically coming from the legitimate account, it passes SPF/DKIM/DMARC checks, making it difficult to detect based on authentication alone.
Documentation from Google Workspace Admin Help explains that SPF can pass if the phisher uses a server authorized to send email for the domain, even if the email is fraudulent. The 'pass' result means the email was sent from a legitimate source for that domain, but not necessarily that the email itself is legitimate.