Basically, the from field on an email can be anything you want. It's like sending physical mail and using a fake letterhead with someone else's info, just type what you want. No verification.

That's sometimes a good feature. Like, a third party provider can send newsletters on behalf of company A. But can also be bad, when used for phishing.

However, the email doesn't just appear in your mailbox. It comes to your email provider by another server connecting to it and sending the email. Spf allows the owner of A.com to specify which IPs/servers are actually acting on their behalf. So if I get an email from something@A.com, I can lookup and verify that the sending server is one to trust. If not, the email client should reject or warn the user somehow.

▲

tryauuum 5 days ago | parent [-]

DMARC does check the from field in the mail, so I don't know how could this happen

	▲	matsemann 5 days ago \| parent [-]
		Yeah, sorry if that wasn't clear in my explanation. Without these in place, you will accept anything from anyone claiming to be @A.com,but with dmarc the whole point is to flag when they're only pretending to be.