authenticated senders only
In some situations the sender check is not enough.
For example when you want to receive emails from one sender only,
and all messages that fail the checks must be discarded.
In this case you need to be sure that the sender’s email address has not been spoofed.
This control can be done putting together SPF and DKIM authentication.
SPF confirms the sender’s address and its relationship with the server that sent out the message.
DKIM guarantees that the email (including the attachments) has not been modified since the “signature” was affixed.
In theory it’s that easy, in practice both SPF and DKIM can refer to a different domain than the from address.
We check that SPF authentication and DKIM signature are related to the domain in the from address.
In this way no other than the original sender can authenticate the email. This guarantees its origin.