Closed tamimhasan404 closed 2 years ago
musana
commented
2 years ago Hi @tamimhasan404
Thanks for feedback. actually i indicated this situation in limitation section. Verification of the subdomain will be success for MX records but DKIM/DMARC will be unverified. As you can said mail sending will failed but mail receiving will be success. attack vector in here is an attacker can received mails that sent associated the domain.
tamimhasan404
commented
2 years ago For custom domain add they want a credit card. Through my credit card issue, I can't confirm now whether an attacker can receive mails or not without verification. But I think not If anyone can't send mail without proper verification so how can he receive mail?. As his requesting sub-domain is padding for the mailgun verification how can he see other messages?
musana
commented
2 years ago When add new domain to mailgun requires 5 DNS records. MX records is two of these. If a domain's MX records to point to Mailgun and it was removed from Mailgun an attacker can reclaim again. Verification is done separately for each record. In order to receive mail, it is sufficient to verify only MX records.
When new subdomains are added to Mailgun, verification of the subdomain is required by accessing the DNS management console of the parent domain to add the required DNS records for the new subdomain. In addition, unverified subdomains are no longer allowed to send emails on Mailgun and have to be verified before they can be used to send emails.
2021-08-24: ExpressVPN confirmed that it is no longer possible to send emails using unverified subdomains. We also confirmed that unverified subdomains are no longer able to inherit “mailgun.org” SPF/DMARC and MX records to send emails.