everyone knows phishing emails, but sometimes they can be hard to tell from the real deal.
the sender looks the same as the real sender, and the email body can be made to look very legit.
DMARC was introduced way back in 2012 to try and put a halt on phishing emails.
The DMARC boils down to two important flags (although there are 10 total) - the "p" flag, which instructs receiving servers on how to deal with potentially phony emails, either by rejecting, quarantining, or passing; and the "rua" flag, which tells receiving servers where they can send a report about failed messages (usually an email address at the domain admin's security group). The DMARC record solves most of the issues with SPF records by taking the burden of deciding how to respond away from the recipient.
The problem is, not everyone uses DMARC yet.
This handy tool allows for you to query any domain's DMARC record - try it out on a few of your favorites (gawker.com, whitehouse.gov, redcross.org, reddit.com). Notice anything? None of them have published DMARC records. That means that any email host that tries to conform to the rules of DMARC wouldn't have any instructions on how to handle SPF failed emails, and would probably let them through. That's what Google does with Gmail (and Google Apps), and that's why phony emails can get through to your inbox.
To prove that Google does pay attention to DMARC records, look at the DMARC record for facebook.com - the "p" flag idicates that recipients should reject emails, and send a report about it to the postmaster at Facebook. Now try to fake an email from facebook.com and send it to a Gmail address—it won't go through. Now look at the DMARC record for fb.com - it indicates that no email should be rejected, but a report should be made anyway. And if you test it, emails from @fb.com will go through.
here's Crunchyroll current DMARC policy:
notice that Crunchyroll did not set any flags, which means anyone in the world could make a legit-looking email, and the email would go though. twitter, on the other hand, have set a policy to reject fake emails pretending to come from twitter.
Matthew also noted that the "postmaster report" is no joke. When he tried spoofing a domain with a DMARC record, his SMTP server was blocked in less than 24 hours. In our testing, we noticed the same. If a domain is set up properly, they'll put an end to those spoofed messages quickly—or at least until the spoofer uses a different IP address. However, a domain that doesn't have DMARC records is fair game. You could spoof them for months and no one on the sending end would notice—it would be up to the receiving mail provider to protect their users (either by flagging the message as spam based on content, or based on the message's failed SPF check.)
i encourage people to read this, it's quite informative.
Lifehacker: How Spammers Spoof Your Email Address (and How to Protect Yourself)