No SPF/DMARC records on mb-cosmos.com

Summary This report identifies a security vulnerability where the domain mb-cosmos.com lacks SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance) records. The reporter demonstrates that this misconfiguration allows email spoofing, where an attacker can send emails that appear to come from the domain without authentication. Steps to Reproduce Visit https://emkei.cz/ (an email spoofing service) Enter "[email protected]" as the sender email address Send an email to any recipient (the reporter used temp-mail.org) Observe that the email is successfully delivered and appears to originate from the legitimate domain Verification shows no SPF records when checking DNS records for mb-cosmos.com Impact This vulnerability allows malicious actors to spoof emails that appear to come from Malwarebytes' domain mb-cosmos.com. Without proper SPF and DMARC records, attackers can send phishing emails that appear legitimate to recipients, potentially tricking users into revealing sensitive information or performing harmful actions. The reporter notes that spoofed emails are delivered directly to inbox rather than being filtered as spam. This falls under CWE-657 (Violation of Secure Design Principles), as implementing email authentication records is considered a security best practice to prevent email spoofing.