What is SPF/DKIM’s role (or lack thereof) in malware detection?

SPF and DKIM authenticate sender identity, not message content. They verify who sent the email, not whether it contains malware. A properly authenticated message can still contain malicious attachments or links.

Authentication helps indirectly: it enables sender reputation, which influences how much scrutiny messages receive. Authenticated senders with good reputation may face less content scanning (though they shouldn't).

Don't conflate authentication with content safety. Compromised legitimate accounts pass authentication while sending malware. Authentication is one security layer addressing identity; separate mechanisms address content threats.