When you approve an email address or domain in SpamHero using the default settings, the approved sender is only applied when the origin of the message can be authenticated.
This is done in the following ways:
The message contains a valid DKIM header that was signed by the same domain as the sender's "from" domain.
The message passes SPF, which authenticates the "return path" (or the "HELO" host when the "return path" is missing). To pass "with alignment", the SPF-authenticated host must match the sender's "from" domain.
While SPF is generally used only to authenticate the "return path" of a message, in this context, a message will also be considered authenticated if the sending IP address of the message is in the From sender's domain SPF record. Contrary to popular belief, handling it this way is beyond the scope of the SPF protocol, but enough domains owners have used SPF in this way that it has become a viable way to authenticate a message. This method of authentication does carry some risk if the sender includes shared IPs in their SPF record.
DMARC is not an email authentication technology, but rather a policy defined by the sender that tells the receiving server how to handle sender authentication failures.
In this scenario, there is no way to verify that the message is authentic (someone could be impersonating the sender). However, you can add "approved sources" for an approved sender.
If a message has a DKIM signer domain or SPF-authenticated host (return path or HELO domain) that matches one of your "approved sources", it will be treated as if it was "aligned" with the sender's from address (so the message will skip normal filtering).
You can also approve an IP address as an "approved source", which means that any messages from the approved sender using the designated IP address will skip normal filtering (even when DKIM and SPF fail).
To add an "approved source" to an "approved sender", go to Settings > Approved Senders, click on the row for the approved sender and add the source in the textbox labeled "Approved Sources".
Note: "approved sources" are shared for all approved sender addresses that end in the same domain.