#readwise # How Can SPF/DKIM Pass, and Yet DMARC Fail?  ## Metadata - Author: [[dmarcian.com]] - Full Title: How Can SPF/DKIM Pass, and Yet DMARC Fail? - URL: https://dmarcian.com/how-can-spfdkim-pass-and-yet-dmarc-fail/ ## Highlights - When a receiver uses SPF, the receiver looks at the domain found in the RFC5321.MailFrom to figure out where to look for an SPF record.  The RFC5321.MailFrom address is the entity that is passed along as part of the “MAIL FROM” command during the SMTP conversation.  To make matters worse, this address is also called the “bounce address”, the “envelope address”, the “SPF address”, or the “ReturnPath” address (as it is copied into the content of the email messages as the ReturnPath: header by the email receiver!).   When an SPF check successfully completes, the receivers ends up with an “Authenticated Identifier” that is the domain of the RFC5321.MailFrom. DKIM is similar in that it also generates an “Authenticated Identifier”.  However, DKIM’s identifier comes from the “d=” tag that is part of every DKIM signature. - In the DMARC world, any Authenticated Identifier has to be relevant to the domain that DMARC is looking at, and that is always the domain found in the From: header of an email. Identifier Alignment is therefore the process of checking to make sure the domains that are authenticated by SPF and DKIM are relevant to the domain found in an email’s From: header. - **Identifier Alignment is required as anyone can deploy SPF and DKIM for any piece of email today.  If a criminal is trying to spoof bank.com and sets up a domain criminal.net to get SPF and DKIM into place, just because SPF and DKIM both pass doesn’t mean the authentication has anything to do with bank.com.**