How can SPF/DKIM be bypassed after compromise?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine someone steals the keys to your car. The engine starts perfectly. The alarm doesn't go off. Every system works exactly as designed, because from the car's perspective, the right key is in the ignition. That's what happens when an attacker takes over your email account or ESP credentials.
SPF, DKIM, and DMARC are not fooled by the attacker. They pass because the attacker is using your real infrastructure. The sending IP is authorized (SPF passes). The signing key is legitimate (DKIM passes). The domain aligns (DMARC passes). Authentication has no way to tell whether the person pressing send is you or someone who stole your password.
This is the core limitation worth understanding. Authentication verifies the system, not the person. It confirms that an email left through an authorized channel, nothing more. A compromised account passes every authentication check perfectly, which is exactly what makes it so dangerous.
So what actually stops this? Not authentication records. These things do:
- Strong access controls. Multi-factor authentication on your ESP account and any tool with sending access. If an attacker can't log in, they can't send.
- Anomaly monitoring. Watch for sudden spikes in send volume, new recipient lists, unfamiliar sending times, or campaigns you didn't create. Most ESPs have activity logs. Use them.
- Least-privilege API access. API keys and tokens should only have the permissions they actually need. A key that can only send email shouldn't also be able to export your entire list.
- Fast incident response. If you suspect a breach, revoke credentials and rotate keys immediately. Every minute of delay is more email sent under your domain's reputation.
Authentication is still worth doing (absolutely do it), but it's a trust signal for the mailbox provider, not a lock on your account. Think of SPF, DKIM, and DMARC as proof that your domain is legitimate. The job of keeping bad actors out of your sending account is a different layer entirely.
If something feels off with your sending right now, our SOS hotline is free and no-pitch. We can help you figure out what's happening.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.