Security terms explained — SPF, DKIM, DMARC, and why 'pass' is not 'safe'
A recurring theme in these reports is that "authentication passed" does not mean "safe." This explainer covers the three email-authentication standards plainly — what each really checks, and where the gap lives.
The three checks
- SPF (Sender Policy Framework) answers: was this mail sent from a server the domain owner authorized? The domain publishes a list of allowed sending IPs; the receiver checks the connecting server against it. SPF validates the path, not the person.
- DKIM (DomainKeys Identified Mail) answers: was the message signed by the domain, and unchanged in transit? The sender signs the headers and body with a private key; the receiver verifies with the published public key. DKIM proves the integrity and origin of the signature — not intent.
- DMARC ties the two together and adds policy. It checks that the domain you actually see in the From address aligns with the domain that passed SPF or DKIM, and it tells receivers what to do on failure (none / quarantine / reject). DMARC closes the "visible From spoofing" gap.
What they catch — and what they do not
Together these stop a large class of domain spoofing: an outsider cannot easily forge mail that appears to come from a protected domain.
What they do not address:
- A real but compromised account (VEC) — it is the genuine domain, so everything passes.
- Look-alike domains — a different domain that merely resembles yours passes its own authentication perfectly.
- Intent — none of these standards reads what the message is actually asking for.
That is the crucial point for anyone reading a header. Authentication tells you the envelope is genuine. It says nothing about whether the request inside is. SA-02 in WhiteHat checks all three — but it is deliberately one agent of four, because passing them is necessary, not sufficient.
The one-line version
SPF: authorized server? DKIM: signed and untampered? DMARC: does the visible sender align, and what happens if it does not? All three together: the envelope is real. Still unanswered: should you do what the letter says?
Want to see authentication results alongside identity, links, and intent? Paste a message into the Analyze console.