SPF actually authenticates the domain used in the bounce address a.k.a. Return-Path
. It doesn't authenticate the domain in the FROM
header which is typically shown to recipients by their email client software as the author of the email.
Similarly, DKIM (Domainkeys identified mail) signatures authenticate the domain listed in the d=
tag in the signature, not necessarily the same as the domain used in the FROM
header.
You'll need DMARC (Domain-based Message Authentication, Reporting, and Conformance) to enforce alignment between the authenticated domain and the domain used in the FROM
field.
All three Internet standards are designed to authenticate emails sent from authorised sources, in order to protect a domain from being spoofed.
If you need to protect individual senders from being spoofed, you may have a look at digital IDs for signing and optionally encrypting email messages from the email client of a specific user.
Please consider that email messages that are sent from other legitimate sources may not be signed with a / the same certificate, e.g. a personal christmas wish from the CEO sent by the HR / communications department from a dedicated tool such as Selligent or Salesforce or other tool. You may want to use this in your awareness training material.
1Mostly you need really good spam filters for this that can decipher and reject the spam content. Sometime domain or address filters can work but mostly not. – John – 2019-12-18T21:56:12.610
@john that's not really an answer to the question. Spam filtering does not help with spoofing where the email is not spam. – davidgo – 2019-12-19T11:59:30.710
1Works for me. Zero spam. – John – 2019-12-19T12:25:39.173