Vulnerability : Email Spoofing

Hi Team Hope you are doing well. I found vulnerability. Issue: Email Spoofing I just sent a forged email to [email protected] that appears to originate from [email protected] I was able to do this because of SPF Soft Fail and I could not find DMARC record of this domain. SPF record lookup and validation for: sifchain.finance Found v=spf1 record for sifchain.finance: v=spf1 include:_spf.google.com include:spf.autopilothq.com include:sendgrid.net ~all As you can see the symbol at last which is (~all) is the issue, which should be replaced by Hyphen (-all) symbol. Please refer to the digital ocean article for understanding. https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability DMARC record lookup and validation for: sifchain.finance No DMARC Record Found You can check your SPF Record from here https://www.kitterman.com/spf/validate.html You can check your DMARC record form here https://mxtoolbox.com/emailhealth/sifchain.finance/ Also No DKIM Found Please find the Attached Video of forged test email received as a proof of concept and Screenshot of forged email received and Domain Health Report. Waiting for your response. With Thanks and Regards Muhammad Tajammul ## Impact Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source. The goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation