MAIL FROM
value in the SMTP envelope, not the
FROM
header in the message. Therefore, by using a domain that does not publish SPF record in the MAIL FROM they
can easily bypass SPF check.
C --> EHLO host.spammermarketing.net S <-- 250-host.spammermarketing.net. Please to meet you S <-- 250 OK C --> MAIL FROM:<spammer@spammermarketing.net> S <-- 250 OK C --> RCPT TO:<victim@yourcompany.com>Notice the envelope suggests the sender belongs to spammermarketing.net, which does not have an SPF record.
From: Mr. CEO "ceo@yourcompany.com" <spammer@spammermarketing.net> To: <victim@yourcompany.com> Subject: Hi,my name is EvieNotice there are two email addresses in the
From
header. Most email clients will only display the first
address, giving an impression the message came from their CEO.
MAIL FROM
value in the envelope used a domain that did not have an SPF record, the receiving server
simply ignore checking for SPF. Additionally, DMARC was also skipped because SPF was missing.