Note, you can't forge the from header if DMARC is turned on. The From header was not forged in the article afaict.

It doesnt really matter because email clients usually dont even show the email part of the from header.

> email clients usually dont even show the email part of the from header.

Good email clients should, though.

Biganon 2 days ago | parent | prev [-]

Isn't it also SPF's role to check that the From domain is allowed for the sender IP ?

	▲	bawolff a day ago \| parent [-]
		No. (If you mean the from header) SPF (without dmarc) validates the envelope from, not the from header. When DMARC is present, it changes this to be the normal from header (dmarc requires one of either spf or dkim to match the from header. So if dkim matches then spf doesn't have to)