All Categories
SPF, DKIM, and DMARC: what these security checks do, what "pass" and "fail" mean, and why attackers still get through
Email Authentication
The Email From HR That Wasn't
A manufacturing company's employees received an email from hr@brightwell-industries.com asking them to update their direct deposit information before the next pay period. The email used the company's real domain. The signature matched the HR director's. Twelve employees clicked and entered their bank details.
By the next payday, $127,000 in salary payments had gone to accounts controlled by criminals.
When IT investigated, they found something troubling: the email hadn't come from their servers at all. Someone had simply typed hr@brightwell-industries.com in the From field and sent it from a server in another country.
How did it get through? Brightwell Industries had never set up email authentication. They had no SPF record listing approved servers. No DKIM signatures. No DMARC policy. Their domain was wide open for anyone to impersonate.
This story is fictional, but the patterns are real.
What Email Authentication Does
Because email was designed without identity verification, security experts later created three systems to check if emails are legitimate: SPF, DKIM, and DMARC.
Together, these answer one question: Did this email really come from the domain it claims?
They don't answer: Is this domain trustworthy?
That's the gap attackers exploit.
SPF: Checking the Server
What it is: A list of servers allowed to send email for a domain.
How it works: When you send email, it goes through a mail server. SPF lets domain owners publish a list of approved servers. Receiving systems check: "Is this server on the approved list?"
What "pass" means: The sending server is on the approved list.
What it doesn't mean: The email is safe or the domain is legitimate.
Example: If criminals register arnazon-security.com and add their server to the SPF list, emails from that server pass SPF. The check confirms the email came from an approved server for that domain. It can't know the domain is a scam.
DKIM: Checking the Signature
What it is: A digital signature proving the email wasn't modified.
How it works: The sending server signs the email with a private key. Receiving servers check the signature using a public key published in DNS. If the signature matches, the email hasn't been changed since it was sent.
What "pass" means: The email was signed by the claimed domain and hasn't been tampered with.
What it doesn't mean: The content is true or the sender is trustworthy.
Example: A criminal sends a phishing email from their own domain with proper DKIM. The signature is valid because they control the domain. DKIM confirms the email wasn't modified in transit. It doesn't know the email is a scam.
DMARC: Enforcing the Rules
What it is: A policy telling receiving servers what to do when SPF or DKIM fails.
How it works: Domain owners publish a policy: ignore failures, send failures to spam, or reject failures entirely. DMARC also requires "alignment," meaning the domain in the visible From address must match the domain that passed SPF or DKIM.
The three policies:
| Policy | What happens to failures |
|---|---|
p=none | Nothing. Monitor only. |
p=quarantine | Send to spam |
p=reject | Block completely |
The problem: Most domains use p=none, which provides no protection. Even when authentication fails, the email still arrives.
What the Results Look Like
In email headers, you'll see an Authentication-Results line:
Authentication-Results: mail.company.com;
spf=pass
dkim=pass
dmarc=pass
All pass: The email came from the domain it claims. But that domain might be malicious.
Failures: Something didn't verify. Depending on the DMARC policy, the email might still arrive.
Key insight: "Pass" means the technical check succeeded. It doesn't mean the email is safe.
Why Attackers Still Get Through
Lookalike domains: Register arnazon.com instead of amazon.com. Set up proper SPF, DKIM, and DMARC. All emails from this domain will pass every check.
Display name tricks: The From field has two parts: a display name and an address. An email can show "Amazon Security" as the name while the actual address is scammer@randomdomain.com. Many email apps only show the display name.
Weak policies: Most domains don't enforce DMARC. Even if authentication fails, the email often arrives anyway.
Account compromise: If attackers steal login credentials for a real email account, all their messages have valid authentication because they're using the real infrastructure.
Email replay attacks: DKIM proves an email hasn't been modified since sending. It doesn't prevent that email from being resent to new recipients. Attackers exploit this by getting legitimate services to send them signed emails containing attacker-controlled content, then replaying those emails at scale.
In one attack against an Ethereum developer, the attacker registered an OAuth application with Google using a phishing message as the app's name. Google sent a legitimate security alert about this new app, signed with Google's DKIM key, containing the attacker's phishing text. The attacker then replayed this signed email to targets. It passed every authentication check, appeared in the same Gmail thread as real Google security alerts, and fooled even security experts. Google's own infrastructure had been weaponized against its users.[1]
Key Takeaways
- Authentication verifies the domain, not the intent. SPF, DKIM, and DMARC confirm an email came from where it claims. They can't know if that domain is malicious.
- Lookalike domains pass every check.
arnazon.comcan have perfect authentication because the attacker controls it. - Most domains don't enforce DMARC. Even when checks fail, emails often arrive because policies are set to "monitor only."
- Display names lie. The friendly name you see ("Bank Security Team") can be anything. Always check the actual email address.
- "Pass" is not the same as "safe." Authentication is one signal, not proof of legitimacy.
What's next: Email Investigation covers how to read headers in practice, trace where an email really came from, and preserve evidence properly.
Key Terms
SPF (Sender Policy Framework): A list of servers authorized to send email for a domain.
DKIM (DomainKeys Identified Mail): A digital signature proving an email hasn't been modified since sending.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): A policy that tells receiving servers what to do when authentication fails.
Authentication-Results: The header showing whether an email passed SPF, DKIM, and DMARC.
Lookalike domain: A domain designed to look like a legitimate one (arnazon.com, paypa1.com).
Display name: The friendly name shown in the From field, separate from the actual email address.
Email replay attack: Resending a legitimately signed email to new recipients; the DKIM signature remains valid because the content wasn't changed.
References
1. All Gmail users at risk from clever replay attack↗ - Malwarebytes, 2025
Generated with AI assistance. Reviewed by humans for accuracy.
Test Your Knowledge
Ready to test what you've learned? Take the quiz to reinforce your understanding.