保護DataHogo
Security Encyclopedia/Email & Communications
mediumCWE-290A05:2021

Email Spoofing (Missing SPF/DKIM/DMARC)

Without SPF, DKIM, and DMARC DNS records, anyone can send emails claiming to be from your domain — enabling phishing attacks against your users.

How It Works

SMTP was designed without authentication. SPF lists which servers are allowed to send from your domain. DKIM adds a cryptographic signature to every email. DMARC tells receiving servers what to do when SPF or DKIM fail. Without all three, attackers can craft emails that look exactly like they came from your-company.com.

Vulnerable Code
// BAD: DNS zone with no email authentication records
// your-domain.com DNS:
// No TXT record for SPF
// No TXT record for DKIM
// No TXT record for DMARC
// Result: any server can send email as you@your-domain.com
Secure Code
// GOOD: complete email authentication DNS records
// SPF: list authorized sending servers
your-domain.com. TXT "v=spf1 include:sendgrid.net include:_spf.google.com -all"
// DKIM: add via your email provider's dashboard (Sendgrid, SES, etc.)
// DMARC: set policy and reporting
_dmarc.your-domain.com. TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@your-domain.com"

Real-World Example

BEC (Business Email Compromise) attacks cost companies $2.9 billion in 2023 (FBI IC3 report). Most succeed by spoofing executive email addresses on domains without DMARC enforcement.

How to Prevent It

  • Add an SPF record listing every service authorized to send email from your domain
  • Enable DKIM signing in your email provider (Sendgrid, SES, Postmark) and add the DNS record
  • Add a DMARC record starting with p=none to monitor, then tighten to p=quarantine or p=reject
  • Use MXToolbox or Google Admin Toolbox to verify all three records are configured correctly

Affected Technologies

dns

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

SMS Injection

medium

Including unvalidated user input in SMS messages allows attackers to inject newlines and craft fraudulent messages appearing to come from your application.

CWE-74A03:2021

Push Notification Injection

low

Including unsanitized user input in push notification payloads allows attackers to craft misleading notifications in your app's name.

CWE-74A03:2021