0

I used an SPF record finder online, and the result of this test was they already have an SPF record but I still can send an email as their domain exactly!

So, do SPF records prevent email spoofing attacks? If it does, why can I still send an email as their domain? If it doesn't, how can we really prevent email spoofing attacks?

Maybe I've some misunderstanding between SPF misconfiguration & missing SPF record? Do they mean the same thing? What is the situation as written above if it is a misconfiguration or missing SPF record?

schroeder
  • 123,438
  • 55
  • 284
  • 319
iiAnonymous
  • 1
  • 1
    While sufficient details of what you actually did are missing you are wrongly assuming that simply having a SPF record fully prevents sender spoofing. Maybe a duplicate of [Spam email "via" my domain, but SPF record exists](https://security.stackexchange.com/questions/206601/spam-email-via-my-domain-but-spf-record-exists) – Steffen Ullrich Jul 07 '20 at 04:34
  • It's good you start by gathering understanding instead of blindly reporting things as *bugs* or *security problems*. Cyber Security is a trendy industry and all kinds of self-appointed *cyber security researchers*, *white-hat hackers* & *bug bounty hunters* are emerging all the time. They keep sending their "findings" that most of the time are a) revealed using automated tools without fully understanding their output and b) about known details within accepted risk. – Esa Jokinen Jul 07 '20 at 06:10

0 Answers0