When identity and intent diverge.
OpenEFA® Signals Series | April 1, 2026
The most dangerous email you will receive this year will pass every authentication check. SPF will pass. DKIM will validate. DMARC will align. And the message will still be an attack.
This is not a theoretical concern. It is the operational reality of modern email threats. Attackers have learned that authentication is a gate they can walk through — not a wall they need to climb over. The question is no longer whether a message is authenticated. The question is whether authentication alone tells you anything meaningful about intent.
It doesn't. And that gap between identity verification and behavioral analysis is where OpenEFA® operates.
Email authentication protocols — SPF, DKIM, and DMARC — were designed to solve a specific problem: proving that a message was sent from authorized infrastructure. They do this well. But it's critical to understand exactly what they prove and what they don't.
SPF verifies that the sending IP address is authorized to send mail for the domain in the envelope-from address. It proves that the message originated from infrastructure the domain owner has approved. It does not prove that the person using that infrastructure is who they claim to be, or that their intentions are legitimate.
DKIM verifies that the message body and selected headers have not been altered in transit. It proves message integrity and confirms the signing domain. It does not prove that the account holder authored the message, or that the content is benign.
DMARC ties SPF and DKIM together with domain alignment, ensuring that the visible From address matches the authenticated domain. It proves policy compliance. It does not prove that the message is safe, wanted, or sent by the expected human being.
Together, these protocols answer one question: "Did this message come from the infrastructure it claims to come from?"
They do not answer: "Is the person behind this message who you think they are? And do they intend what you expect?"
That distinction is the entire attack surface for modern business email compromise.
There are several mechanisms by which a fully authenticated message can be malicious:
An attacker gains access to a legitimate email account through credential theft, password spraying, session token hijacking, or OAuth token abuse. Every message sent from the compromised account is fully authenticated because it is being sent from the real account. SPF passes because the message comes from the organization's mail server. DKIM validates because the organization's mail server applies the signature. DMARC aligns because everything matches.
The authentication is perfect. The intent is malicious.
An attacker registers their own domain, configures SPF, DKIM, and DMARC correctly, and sends authenticated messages from properly configured infrastructure. The domain may be a lookalike (e.g., a homograph attack or a plausible variation of a known domain), or it may be an entirely new domain that the attacker has warmed up over weeks to build reputation.
Authentication proves the attacker controls the infrastructure. It says nothing about whether the infrastructure should be trusted.
An attacker compromises a vendor or partner organization's email system. Messages sent to your users from the compromised vendor are fully authenticated under the vendor's domain. Your DMARC policy has no authority over their domain — and even if you check their DMARC, it will pass because the compromise is in their infrastructure, not yours.
In all three cases, the technical signals say "safe." The behavioral reality says otherwise.
OpenEFA's detection engine treats the divergence between authentication and behavior as a first-class signal. When technical verification says one thing and behavioral analysis says another, that contradiction itself becomes one of the most powerful indicators available.
The engine evaluates several specific conflict patterns:
The message comes from a known, authenticated sender — but it was sent at 3:14 AM in their local time zone, well outside their established sending window. A compromised account being operated from a different geography will often produce timing anomalies even when every other technical signal is clean.
The sender's email is fully verified, but the writing style has changed. Sentence structure is different. Formality level has shifted. Vocabulary patterns don't match the sender's historical baseline. This can indicate that someone else is using the account — or that the message was drafted by an attacker using a different native language or AI-generated text.
The sender normally communicates with a consistent set of internal contacts. This message targets a recipient or group they've never contacted before — particularly someone in finance, HR, or executive leadership. The authentication is valid, but the communication pattern is anomalous.
The sender's previous messages have been routine — meeting coordination, project updates, status reports. This message suddenly contains a financial request, a credential request, or a demand for urgent action. The identity is verified, but the intent has changed dramatically.
The DMARC record aligns and SPF passes, but the specific mail client fingerprint, user-agent string, or originating application has changed. The sender previously used Outlook on Windows; this message was sent from a webmail interface via an IP in a different country. Authentication covers the domain — but these subtler technical signals reveal that the access pattern has shifted.
Business email compromise is the most financially damaging category of email-based attack, and it is almost entirely invisible to authentication-only defenses. The FBI's Internet Crime Complaint Center has consistently reported BEC as the highest-loss category of cybercrime — exceeding ransomware by a wide margin.
BEC succeeds precisely because it exploits the trust that authentication creates. When a CFO receives a message from the CEO's verified email address requesting an urgent wire transfer, every technical signal says the message is legitimate. The only defenses are:
An authentication-only system will never flag this message. A system that detects conflicts between authentication and behavior will.
This is why OpenEFA's approach is fundamentally different from traditional gateway security. It doesn't treat authentication as the final word. It treats authentication as one input among many — and it pays special attention when that input disagrees with everything else.
Consider this situation at a mid-sized professional services firm:
From: Managing Partner's verified email (SPF pass, DKIM valid, DMARC aligned)
To: Office Manager (handles accounts payable)
Subject: "Confidential — Need Your Help"
Body: "I'm heading into a meeting and can't talk right now. I need you to process a payment to a new consultant we've engaged. I'll send the details shortly. Please keep this between us until the contract is finalized."
Traditional security sees: authenticated message, no links, no attachments, no known malicious content. Pass.
OpenEFA sees a different picture:
Every behavioral and contextual signal conflicts with the clean authentication. OpenEFA flags the message as high-risk, and the office manager is notified before any payment is processed.
Later investigation reveals the managing partner's account was compromised via a phished OAuth token.
Authentication vs Behavior Conflict is one of the most important signals in the OpenEFA framework because it addresses the foundational assumption that most email security is built on: that authentication equals trust.
It doesn't. Authentication equals verified infrastructure. Trust must be earned through consistent behavior over time — and it must be continuously validated against current actions.
The core principle: identity is not intent. Proving who sent a message tells you nothing about why they sent it.
When authentication and behavior agree, confidence is high. When they conflict, the conflict itself is the most important signal in the message. OpenEFA is built to detect that conflict — because that is precisely where modern attacks live.