Authentication is about Identity, not Virtue
I just got some mail claiming to be from “Bank of America <firstname.lastname@example.org>”.
It passes SPF:
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=18.104.22.168; helo=bofasecure.com;
It passes DKIM:
Authentication-Results: mx.wordtothewise.com (amavisd-new); dkim=pass (1024-bit key) header.d=bofasecure.com
The visible RFC 822 From address is strictly aligned with both the SPF domain and the DKIM domain. So if they’d published a DMARC record it would have passed DMARC.
The message branding is good, and looks like Bank of America (unsurprisingly, as it’s loading assets from bac-assets.com, which is Bank of America). The only visible giveaway is that it includes an attached Word file, one which will presumably try and install malware on my machine if I load it with Word.
The perfectly passing authentication tells me it’s from bofasecure.com. There’s nothing that tells me that bofasecure.com isn’t Bank of America, and isn’t someone I should trust.