Hello, On Sat, Apr 02, 2022 at 03:46:58AM +0500, Arslan Kabeer wrote: > Hello Team, > I am a security researcher and I founded this vulnerability. > I just sent a forged email to my email address that appears to originate > from [email protected] > I was able to do this because of the following DMARC record: > > DMARC record lookup and validation for: formilux.org > > " No DMARC Record found " > > How To Reproduce(POC-ATTACHED IMAGE):- > 1.Go To- mxtoolbox.com/DMARC.aspx > 2.Enter the Website.CLICK GO. > 3.You Will See the fault(DMARC Quarantine/Reject policy not enabled) > > Fix: > 1)Publish DMARC Record. > 2)Enable DMARC Quarantine/Reject policy > 3)Your DMARC record should look like > "v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:[email protected]";
We already have SPF, why would DMARC be needed in addition to this ? Are you sure your mail server properly checks SPF ? I mean, when I'm looking at the gmail domain that you used for sending, it also uses SPF and am not seeing DMARC, so it seems that if instead we send you a message spoofing gmail you will not receive it as spoofed. Am I missing something ? Thanks, Willy
