Vulnerability found : DMARC record vulnerable

[Arslan Kabeer]

Hello Team, 

I am a security researcher and I founded this vulnerability.

I just sent a forged email to my email address that appears to originate from  sn...@snapframework.com

I was able to do this because of the following DMARC record:

DMARC record lookup and validation for: snapframework.com

" No DMARC Record found "

How To Reproduce(POC-ATTACHED IMAGE):-

1.Go To- mxtoolbox.com/DMARC.aspx

2.Enter the Website.CLICK GO.

3.You Will See the fault(DMARC Quarantine/Reject policy not enabled)

Fix:

1)Publish DMARC Record.

2)Enable DMARC Quarantine/Reject policy

3)Your DMARC record should look like

"v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:in...@domain.com"

For more information you can use this blog 

(https://sendgrid.com/blog/what-is-dmarc/).

<?php

$to = "VIC...@example.com";

$subject = "Password Change";

$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";

$headers = "From:sn...@snapframework.com

";

mail($to,$subject,$txt,$headers);

?>

Reference : https://www.knownhost.com/wiki/email/troubleshooting/setting-up_spf-dkim-dmarc_records

Let me know if you need me to send another forged email, or if have any other questions.

Hoping for the bounty for my ethical Disclosure.

Best Regards

Security Researcher

[Arslan Kabeer]

Hi there,

            Its been a while since I have reported a bug ethically to you, but no response has arrived, kindly update me, about the bug report and about the bounty for finding this bug and reporting it ethically to you.

            Waiting for your response

            Always Best Regards