Email verification by sending mail instead of receiving
Relying just on a mail claimed to be send by a specific user will neither be sufficient not practical to verify the sender, even with SPF and/or DKIM validation.
Neither SPF nor DKIM validate the sender of the email in the first place. They verify at most that a mail was send using a mail server which is allowed to send mail for the claimed domain - where the claimed domain is unrelated to the domain in From
field in the mail header (i.e. what is usually seen as the senders address). Only DMARC will align the domain in the From
field of the mail header with the claimed domain in the SMTP dialog (SPF) or the DKIM-Signature (DKIM).
Even then - this will only align the domain part but not the actually full address. Thus relying only on this would allow [email protected]
to claim in the From
field of the mail header to be [email protected]
and neither SPF nor DKIM nor DMARC would complain.
In addition to that it is common to have domain often explicitly allow service providers (like Office365, Mailchimp,...) to send mail in their name by adding their IP addresses or domains to the SPF policy or providing them with the key needed for DKIM. These service provider have the infrastructure typically shared between all clients which badly affects the granularity SPF would offer and also means that somebody except the domain owner can send DKIM signed mails with the owners domain.
Apart from being insufficient to validate the sender it would also require the clients infrastructure to have DMARC and at least one of SPF or DKIM properly implemented - which only very few have.