Email Authentication Module

 Modern email standards give receiving servers three tools named SPF, DKIM and DMARC to verify that a message genuinely came from the domain shown in the From address.

• SPF (Sender Policy Framework): Lists addresses of servers allowed to send email for a domain. If this is not specified, then there is no way to determine if the address that the email originated from is really supposed to be sending emails for the claimed sender's domain.

• DKIM (DomainKeys Identified Mail): Adds a cryptographic digital signature to emails. The signature can be used to ensure the email was sent by the claimed sender and that content hasn't been altered in transit.

• DMARC (Domain-based Message Authentication, Reporting, and Conformance): A policy layer that tells receiving servers how to use SPF and DKIM results and how to report  bad emails.

If any of these three are not implemented for an email, then the email is less secure that it should be.  If none of the three is implemented, there is no way to know if the email came from the sender it's suposed to have come from.  If the email claims to have come from an organization large enough to have a professional email setup,  not having any of the three protocols  is VERY suspicious.

The threat indicators in this module are

• No Authentication Headers
  No email authentication results were found in this message. The standard checks that verify a sender's identity — SPF, DKIM, and DMARC — may have been bypassed. This can occur on old or misconfigured mail servers, but it is also a characteristic of hand-crafted phishing messages.

• SPF Failure
  SPF (Sender Policy Framework) lets a domain publish a list of servers authorized to send mail on its behalf. An SPF failure means the server that sent this email is not on that list — a strong sign that the sender address is forged.

• SPF Warning
  An SPF result of "softfail," "neutral," or "none" means the sending domain has not fully defined which servers are allowed to send on its behalf. The email may be legitimate, but the domain's policy leaves room for spoofed messages to slip through.

• DKIM Failure
  DKIM (DomainKeys Identified Mail) uses a cryptographic signature to prove that a message came from the claimed domain and was not altered in transit. A DKIM failure means the signature is invalid — the email may have been tampered with, or it may have been sent by an impostor.

• DKIM Missing
  No DKIM signature was found. The sender's domain does not digitally sign its outgoing mail, so there is no way to confirm this email came from them or that it was not altered after it was sent.

• DKIM Unaligned Signing Domain
  A valid DKIM signature was found, but it was issued by a domain unrelated to the claimed sender. The email was authenticated by a third-party mail relay — not by the sender's own servers. This is worth noting even when DKIM technically passes.

• DMARC Failure
  DMARC (Domain-based Message Authentication, Reporting, and Conformance) lets a domain declare what should happen to emails that fail SPF and DKIM checks. A DMARC failure means this email violates the sender domain's own stated rules for which messages should be trusted.

• DMARC Not Configured
  No DMARC policy was found for the sender's domain. Without this protection, it is harder to automatically detect emails that falsely claim to come from that address.

• Complete Authentication Failure
  SPF, DKIM, and DMARC all failed, and the sender domain's own policy explicitly states that emails like this one should be rejected. You should treat this message as not coming from who it appears to be from, and its contents as potentially fabricated.

• Duplicate Singleton Headers
  Email headers such as From, Date, Message-ID, and Subject must each appear exactly once in a legitimate message. When one of these headers appears multiple times with different values, it is a sign of header injection — a technique used to forge the sender identity or manipulate how mail clients display the message.