MAIL FROMvalue in the SMTP envelope, not the
FROMheader in the message. Therefore, by using a domain that does not publish SPF record in the MAIL FROM they can easily bypass SPF check.
C --> EHLO host.spammermarketing.net S <-- 250-host.spammermarketing.net. Please to meet you S <-- 250 OK C --> MAIL FROM:<firstname.lastname@example.org> S <-- 250 OK C --> RCPT TO:<email@example.com>Notice the envelope suggests the sender belongs to spammermarketing.net, which does not have an SPF record.
From: Mr. CEO "firstname.lastname@example.org" <email@example.com> To: <firstname.lastname@example.org> Subject: Hi,my name is EvieNotice there are two email addresses in the
Fromheader. Most email clients will only display the first address, giving an impression the message came from their CEO.
MAIL FROMvalue in the envelope used a domain that did not have an SPF record, the receiving server simply ignore checking for SPF. Additionally, DMARC was also skipped because SPF was missing.