How can spoofing bypass weak authentication setups?

DMARC monitoring-only (p=none) doesn't prevent spoofing. Attackers can spoof domains with no enforcement, and receivers will deliver despite failed authentication because the policy doesn't instruct otherwise.

Overly permissive SPF records create vulnerabilities. SPF allowing broad IP ranges or including third parties you don't control enables attackers using those authorized sources to pass authentication.

Missing subdomain policies leave gaps. If your main domain has strict DMARC but subdomains don't inherit protection (sp=none), attackers spoof subdomains instead. Complete protection requires comprehensive configuration.