I wouldf also suggest BIMI record ( https://mailchimp.com/marketing-glossary/bimi/ ) to have recognizable logo in major email systems.
(maybe for "haproxy.com" as well ) Ilya чт, 7 апр. 2022 г. в 17:11, Willy Tarreau <w...@1wt.eu>: > Hello, > > On Sat, Apr 02, 2022 at 03:46:58AM +0500, Arslan Kabeer wrote: > > Hello Team, > > I am a security researcher and I founded this vulnerability. > > I just sent a forged email to my email address that appears to originate > > from haproxy@formilux.org > > I was able to do this because of the following DMARC record: > > > > DMARC record lookup and validation for: formilux.org > > > > " No DMARC Record found " > > > > How To Reproduce(POC-ATTACHED IMAGE):- > > 1.Go To- mxtoolbox.com/DMARC.aspx > > 2.Enter the Website.CLICK GO. > > 3.You Will See the fault(DMARC Quarantine/Reject policy not enabled) > > > > Fix: > > 1)Publish DMARC Record. > > 2)Enable DMARC Quarantine/Reject policy > > 3)Your DMARC record should look like > > "v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto: > i...@domain.com" > > We already have SPF, why would DMARC be needed in addition to this ? > Are you sure your mail server properly checks SPF ? I mean, when I'm > looking at the gmail domain that you used for sending, it also uses > SPF and am not seeing DMARC, so it seems that if instead we send you > a message spoofing gmail you will not receive it as spoofed. Am I > missing something ? > > Thanks, > Willy > >