How can a phishing email pass SPF and DKIM authentication checks?

Summary

Phishing emails can bypass SPF and DKIM authentication checks through a variety of means. SPF and DKIM verify the origin of an email, not its content or intent, so if a phisher controls the sending domain and properly configures SPF/DKIM records, uses a compromised account, leverages 'internal phishing' within an organization, or employs look-alike domains, the emails can pass authentication. DMARC can help, but its absence or misconfiguration, as well as a poor domain reputation, can further enable successful phishing attacks. Essentially, authentication alone is insufficient for preventing phishing; broader security measures are necessary.

Key findings

  • Domain Control: Attackers who control the sending domain can configure SPF and DKIM to pass authentication.
  • Compromised Accounts: Emails from compromised accounts pass authentication since they originate from a legitimate source.
  • Internal Phishing: Emails originating from within an organization can bypass checks if internal systems are compromised.
  • Look-Alike Domains: Subtly different domains that mimic legitimate ones can bypass authentication controls.
  • Authentication vs. Content: SPF and DKIM only verify the source, not the content, leaving room for malicious intent.
  • DMARC's Role: DMARC can help, but is insufficient if the sending infrastructure is compromised or is not properly set up.
  • Domain Reputation: A poor domain reputation increases the likelihood of emails being flagged as spam, even with SPF/DKIM in place.

Key considerations

  • Layered Security: Implement layered security measures beyond SPF, DKIM, and DMARC, including content filtering, behavioral analysis, and user education.
  • Strong Authentication Setup: Configure DMARC properly to instruct recipient servers on how to handle unauthenticated emails.
  • Account Security: Use Multi-Factor Authentication and monitoring to prevent account compromise.
  • Domain Monitoring: Monitor for look-alike domains and implement domain protection services.
  • User Awareness: Educate users to recognize phishing emails that bypass standard authentication checks.
  • Reputation Management: Maintain a positive domain reputation by adhering to email best practices.

What email marketers say
9Marketer opinions

Phishing emails can bypass SPF and DKIM authentication checks through several methods. These include the phisher controlling the sending domain and correctly configuring SPF and DKIM, compromising a legitimate email account, using 'internal phishing' from within an organization where SPF and DKIM pass, or utilizing look-alike domains. While SPF and DKIM authenticate the sender's legitimacy, they don't verify the email's content or intent. The absence of DMARC or its improper configuration also contributes to successful phishing attacks.

Key opinions

  • Control of Sending Domain: Attackers controlling the sending domain can configure SPF and DKIM records to pass authentication checks, even for phishing emails.
  • Compromised Accounts: Phishing emails sent from compromised legitimate accounts will pass SPF and DKIM checks because they originate from a trusted source.
  • Internal Phishing: In internal phishing scenarios, emails originate from the organization's own servers, causing SPF and DKIM to pass, making detection more challenging.
  • Look-alike Domains: Attackers register domains similar to legitimate brands, tricking recipients and bypassing authentication controls.
  • Authentication vs. Content: SPF and DKIM only verify the sender's authenticity, not the content or intent of the email, leaving room for phishing attacks.
  • DMARC Absence/Misconfiguration: The absence or improper configuration of DMARC increases the likelihood of phishing emails successfully bypassing authentication.

Key considerations

  • Beyond Authentication: Email security strategies should extend beyond SPF, DKIM, and DMARC to include content filtering, behavioral analysis, and user education.
  • DMARC Implementation: Properly configure DMARC to instruct receiving mail servers on how to handle unauthenticated emails, such as rejecting or quarantining them.
  • Account Security: Implement robust account security measures, such as multi-factor authentication, to prevent account compromise.
  • Domain Monitoring: Monitor for look-alike domains and implement domain protection services to prevent attackers from registering similar domains.
  • User Training: Educate users on how to identify phishing emails, including those that pass authentication checks, to reduce the risk of successful attacks.
Marketer view

Marketer from Email Geeks shares the authentication results showing DKIM and SPF passed.

October 2023 - Email Geeks
Marketer view

Email marketer from Proofpoint explains that impersonation attacks work by sending a message that appears to be from someone the recipient knows or trusts. To maximize the chance that the message will be acted on, attackers register domains very similar to those of well-known brands. This allows them to bypass traditional email authentication controls such as SPF, DKIM and DMARC.

July 2022 - Proofpoint
Marketer view

Email marketer from StackExchange user 'domainexpert' explains that if a phisher is sending from an authorized IP address according to the SPF record of the sending domain, and the DKIM signature is valid, the email will pass authentication checks, regardless of its malicious intent. This is because SPF and DKIM only verify the sender's legitimacy, not the content of the email.

May 2024 - StackExchange
Marketer view

Marketer from Email Geeks shares the details of a Spamhaus phishing email they received, including the subject, sender, and a link to download instructions.

June 2022 - Email Geeks
Marketer view

Email marketer from Reddit user u/mailauthentication explains that a phishing email can pass SPF and DKIM if the attacker controls the sending domain. If the domain's SPF and DKIM records are properly configured by the attacker, the receiving mail server will authenticate the email as legitimate, even though it's a phishing attempt.

November 2023 - Reddit
Marketer view

Marketer from Email Geeks notes the absence of DMARC and suggests the attacker may control the domain.

January 2025 - Email Geeks
Marketer view

Email marketer from ValiMail explains that in 'internal phishing' scenarios (emails sent from within your own organization), SPF and DKIM will likely pass because the emails are originating from your own servers and are signed correctly. DMARC can provide some protection, but often it's configured in a way that still allows these emails to be delivered.

April 2024 - ValiMail
Marketer view

Email marketer from Email Vendor Guide explains that attackers will use domains that appear legitimate at first glance but contain subtle differences that go unnoticed by the casual user. SPF/DKIM/DMARC are unlikely to help in this scenario as the attacker owns the domain they are sending from, and can configure these standards as they wish.

September 2024 - Email Vendor Guide
Marketer view

Marketer from Email Geeks questions why SPF, DKIM, and DMARC didn't prevent the phishing email.

March 2024 - Email Geeks

What the experts say
2Expert opinions

Phishing emails can bypass SPF and DKIM authentication because these mechanisms primarily verify the origin of the email, not its content or intent. A phisher can compromise legitimate accounts or utilize look-alike domains with proper SPF and DKIM configurations to send emails that pass authentication. Domain reputation also plays a role; a good reputation increases the likelihood of emails passing through, whereas a bad reputation, especially without proper authentication setup, can cause emails to fail.

Key opinions

  • Authentication vs. Intent: SPF and DKIM only authenticate the origin of the email, not the content or intent, leaving room for phishing.
  • Compromised Accounts/Look-alike Domains: Phishers can compromise legitimate accounts or use look-alike domains with correct SPF/DKIM setup to bypass checks.
  • Domain Reputation: Domain reputation is a factor; good reputation increases the likelihood of emails passing, while a bad reputation can cause failure, especially without proper setup.

Key considerations

  • Beyond Authentication: Organizations should implement additional security measures beyond SPF and DKIM, such as content filtering and behavioral analysis.
  • Reputation Management: Maintaining a positive domain reputation is crucial for deliverability and preventing emails from being flagged as spam.
  • Account Security: Implement strong account security measures to prevent account compromise and subsequent phishing attacks.
Expert view

Expert from Word to the Wise (Laura Atkins) explains that Domain Reputation can be a factor with authentication. If you have set everything up correctly, SPF, DKIM, DMARC, etc., and have a good reputation, the likelihood is that you'll go through but if you don't have the above set up, and you have a bad reputation, the email will likely fail.

June 2023 - Word to the Wise
Expert view

Expert from Spam Resource (John Levine) explains that SPF and DKIM only authenticate the origin of the email, not the content or intent. A phisher who compromises a legitimate email account or uses a look-alike domain with properly configured SPF and DKIM can send emails that pass authentication checks, even if the content is malicious.

December 2023 - Spam Resource

What the documentation says
3Technical articles

Phishing emails can bypass SPF and DKIM checks because these authentication methods primarily verify the sender's authorization to send emails on behalf of a domain, not the content or intent of the email itself. This can occur when a phisher uses an authorized server, compromises a legitimate account, or gains control of a sender's email system. While DMARC can help mitigate the impact, it cannot completely prevent such attacks when legitimate systems are compromised.

Key findings

  • Authorized Server Usage: Phishers using a server authorized to send email for a domain can pass SPF checks, even with fraudulent emails.
  • Compromised Accounts: Phishing emails sent from compromised accounts pass SPF, DKIM, and potentially DMARC checks because they originate from a legitimate source.
  • Control of Sender System: Gaining control of a legitimate sender's email system allows phishers to send emails that pass SPF and DKIM due to using authorized infrastructure.
  • DMARC Limitations: DMARC can mitigate, but not entirely prevent, phishing attacks when legitimate systems are compromised and used for malicious purposes.

Key considerations

  • Enhanced Security Measures: Organizations should implement security measures beyond SPF, DKIM, and DMARC to detect and prevent phishing, such as behavioral analysis and content filtering.
  • Account Protection: Focus on securing user accounts to prevent compromise and subsequent use for phishing attacks.
  • System Monitoring: Implement robust system monitoring to detect and respond to unauthorized access or control of email systems.
  • DMARC Configuration: Ensure DMARC is properly configured to provide instructions to receiving mail servers on how to handle emails that fail authentication checks.
Technical article

Documentation from DMARC.org answers that if a phisher gains control of a legitimate sender's email system, they can send emails that pass SPF and DKIM because they're using the actual authorized infrastructure. DMARC can help mitigate the impact, but it can't completely prevent it if the original systems are compromised.

November 2021 - DMARC.org
Technical article

Documentation from Microsoft Learn explains that phishing emails can pass authentication if a compromised account is used to send the email. Since the email is technically coming from the legitimate account, it passes SPF/DKIM/DMARC checks, making it difficult to detect based on authentication alone.

August 2023 - Microsoft Learn
Technical article

Documentation from Google Workspace Admin Help explains that SPF can pass if the phisher uses a server authorized to send email for the domain, even if the email is fraudulent. The 'pass' result means the email was sent from a legitimate source for that domain, but not necessarily that the email itself is legitimate.

July 2024 - Google Workspace Admin Help