Why does SPF alone not prevent spoofing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Because SPF authenticates the part of the email nobody sees. Phishers impersonate the part everyone sees. Those aren't the same thing, and that gap is the whole reason SPF alone can't stop a well-crafted spoof.

The two "from" addresses

Every email carries two sender identities:

  • The envelope from (Return-Path). Used by mail servers to route the message and handle bounces. The recipient almost never sees it.
  • The header from. The "From: Your Bank" line that shows up in the inbox. This is what humans read.

SPF only checks the envelope from. Whatever domain is in the Return-Path gets validated against that domain's SPF record. The visible header from isn't part of the check at all.

How phishers exploit this

Imagine an attacker wants to impersonate support@yourbank.com. They don't need to break into the bank's servers. They register their-own-domain.com and publish a valid SPF record for it (easy, since it's their domain). Then they send an email with:

  • Envelope from: noreply@their-own-domain.com (SPF passes cleanly)
  • Header from: support@yourbank.com (what the victim sees)

The receiving server checks SPF against their-own-domain.com, it passes, the email gets delivered. The victim sees "Your Bank" in their inbox, clicks the link, and the phish works.

SPF did its job perfectly. It just didn't check the right field.

What closes the gap

DMARC is what ties the visible header from to the authentication check. It requires the header from domain to align with either SPF or DKIM. If they don't match, DMARC can tell receivers to quarantine or reject the message.

DKIM helps because it signs the message with a cryptographic key tied to the header from domain (when configured correctly), giving DMARC a second way to align.

And the real protection is all three together: SPF passes, DKIM passes, and DMARC confirms the visible from domain matches. That combination is what actually stops spoofing.

You can see what your domain currently publishes with our SPF checker. If you're trying to move from "SPF only" to a full SPF + DKIM + DMARC setup and you want a sanity check before flipping to p=reject, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Audit My Spoofing Protection

I just read the Email Almanac entry on why SPF alone doesn't stop spoofing. Help me audit my domain's full authentication posture and close the spoofing gap. Walk me through: 1. Whether my SPF, DKIM, and DMARC are currently aligned with my visible from 2. What my DMARC policy is set to and whether it's strict enough 3. Which gaps I need to close first 4. How to safely move from p=none to p=quarantine or p=reject --- My details (fill in what applies): - Sending domain: your domain - SPF: passing / unsure / not configured - DKIM: passing / unsure / not configured - DMARC record: paste if you have it, or describe - Current DMARC policy: none / quarantine / reject / unsure - Active sending sources: ESPs, CRMs, helpdesks, etc. - Have you seen spoofing of your domain: yes / no / unsure

Edit the yellow boxes, then send to the AI of your choice.