Closed gnunez88 closed 2 months ago
Hi there! Thank you very much for bringing this up!
First Issue:
You're right, but for a different reason than you might think.
While the SPF record might not have an "ALL" mechanism directly, the redirect points to where the actual SPF record is located. And in that real location, there is indeed an "ALL" mechanism.
This also means that Spoofy is right but for the wrong reason. Spoofy should follow the redirect and parse the actual SPF location. Doing this would enable Spoofy to properly handle redirects.
Regarding the neutral "ALL" mechanisms, I don't have enough test data to confirm the findings.
Second Issue:
You might be right here.
I tested this on a domain without an SPF record (kt.com), which has a DMARC policy of "none." I was able to spoof to ProtonMail but not Outlook. To spoof to Outlook, I had to use a subdomain of the test domain (xroshot.plus.kt.com), which does have an SPF record with a softfail "ALL" mechanism.
To fix this, I would update the result for this situation in the master table and modify Spoofy’s logic to be "mailbox dependent" for domains without an SPF record and a DMARC policy of "none."
All in all, great finds!!!
Since I do not have the knowledge, time or resources to test it I cannot confirm it, but I have found some situations where I think
spoofy
should either test harder or return a different result.I have been using
spoofy
for some time (thank you), and since I have very little knowledge, I trusted kind of blindly, but I have come across (at least) two common situations where I thinkspoofy
is not giving the correct answer.The SPF record was created for a domain to say what IPs are allowed to send emails on behalf of it. So, if there is no SPF record, I understand the domain should be spoofable. The DMARC has been introduced to patch some SPF holes, and it needs either SPF and/or DKIM to specify how a receiving email is classified.
I have come across some SPF records without the
all
directive, which, according to the standard is treated as?all
, which is neutral (pass). To my surprise the domain was not spoofable acording tospoofy
, even though there was no DMARC. I started to pay more attention to this detail and there has always been aredirect
, example:Reviewing some auditories I have performed, I came across another example which also makes no sense:
v=DMARC1; p=none; rua=mailto:user@example.com
.I have also checked them with caniphish, which stated that both were spoofable with a high risk pointing out the lack of one protocol, either SPF or DMARC.