How can SPF/DKIM be bypassed after compromise?
Compromised infrastructure sends authenticated email legitimately. Attackers using stolen **ESP** credentials send through the victim's authorized systems. SPF passes (authorized IP), DKIM passes (legitimate signing key), DMARC passes (aligned domain).
Authentication verifies infrastructure, not intent. It confirms the sending system is authorized but can't determine whether the person using it is authorized. Compromised accounts pass authentication checks perfectly.
This limitation means authentication alone can't prevent compromise-based abuse. It must be combined with: strong access controls, monitoring for anomalous behavior, and rapid incident response when compromise occurs.
Was this answer helpful?
Thanks for your feedback!