What specific spoofing or BEC (business email compromise) techniques can bypass DKIM, SPF, and DMARC?

1. How DMARC’s “either-or” rule creates an opening

DMARC is satisfied if either SPF or DKIM passes with correct identifier alignment; that design gives attackers two possible routes. Security Boulevard explains that because DMARC accepts a passing SPF or DKIM (with alignment), adversaries can focus on making one of those pass rather than both, and misconfigured or weak records make that easier ^[1]. That dual‑path means hardened configuration and monitoring are required — simply publishing a DMARC record is not enough ^[1].

2. SPF “bypass” via envelope tricks and permissive mail paths

Researchers and practitioners show attackers can abuse the SMTP envelope (Return‑Path / MAIL FROM) and permissive SPF records to get SPF to pass even when the visible From: is spoofed — especially if the domain lacks DMARC or uses relaxed alignment. The CanIPhish SPF bypass project documents techniques that leverage an envelope from address hosted on an SPF‑permissive domain to deliver mail that looks legitimate to recipients when DMARC is not enforced ^[3]. Community Q&A threads likewise note that SPF passing for the return‑path does not guarantee DMARC compliance if alignment fails ^{[4] [5]}.

3. Mailing lists and forwarding chains that break DKIM or SPF

Mailing lists and automated forwarders commonly modify messages (add headers, rewrite subjects) and can break DKIM signatures or cause SPF to fail — yet receivers sometimes still accept or whitelist these flows. Security Boulevard and academic analyses point out that forwarding mechanisms and mailing lists are a persistent weak link that attackers exploit to slip messages past DMARC checks because DKIM is broken in transit and SPF checks the forwarder’s IP not the original sender ^{[1] [6]}.

4. Exploiting shared/hosted SMTP and provider vulnerabilities

Shared sending infrastructure and vulnerabilities in mail platforms can let an authenticated tenant spoof a hosted/shared domain identity, thereby defeating SPF/DKIM/DMARC expectations for that domain. AutoSPF’s write‑up highlights CVE‑2024‑7208 as an example where an authenticated sender could spoof a hosted domain identity and cause authentication to appear legitimate despite protections ^[2]. Proofpoint’s guidance also acknowledges that vendor exception lists and misconfiguration can be used to bypass anti‑spoofing checks ^[7].

5. Policy and configuration mistakes that open doors

Relaxed alignment, soft‑fail (~all) SPF records, missing DKIM signing for all sending subdomains, and DMARC policies set to “none” or not yet at p=reject/p=quarantine enable bypasses. Best‑practice guides and community discussion stress that relaxed modes and permissive DNS records undermine DMARC’s protections and leave domains vulnerable to the techniques above ^{[8] [9] [10]}.

6. What defenders should monitor and harden now

Sources recommend a layered response: publish strict DMARC with reporting and move to reject/quarantine, ensure DKIM signs all outbound flows and rotate keys, tighten SPF to explicit sends (and avoid long includes/overly permissive ~all), monitor DMARC reports for anomalous sources, and watch forwarding/third‑party services closely ^{[1] [9] [8]}. Proofpoint suggests removing exception lists where feasible and getting senders to fix their records rather than relying on receiver‑side white lists ^[7].

7. Limits of current reporting and alternative viewpoints

Available sources document real bypass techniques (SPF envelope tricks, forwarding/mailing‑list breakage, shared SMTP vulnerabilities) but do not provide a comprehensive, attack‑by‑attack playbook in the collected set; some materials (community Q&As, vendor blogs, GitHub demos) focus on examples rather than exhaustive threat modeling ^{[3] [4] [7]}. Security Boulevard emphasizes that no single standard is foolproof and that combining protocols with monitoring is the prevailing defensive view ^[1]. If you want proofs of concept or exploit code beyond these summaries, available sources do not mention detailed, step‑by‑step exploit scripts here.

Summary judgment: SPF/DKIM/DMARC substantially raise the bar, but attackers exploit protocol design (DMARC’s either/or), operational gaps (forwarders, mailing lists), misconfigurations (relaxed policies, softfail), and platform vulnerabilities (shared SMTP flaws like CVE‑2024‑7208) to bypass them; defense requires strict policies, full signing, tight SPF, vigilant reporting, and reducing reliance on exceptions ^{[1] [3] [2] [7]}.