I have received the email below from a “security researcher”
I have changed the domain name in the email
I am not a techie - is it legitimate and what should I do?
I am a security researcher and I founded this vulnerability.
I just sent a forged email to my email address that appears to originate from [email protected]. I was able to do this because of the following DMARC record:
DMARC record lookup and validation for: mydomain.com
" No DMARC Record found "
How To Reproduce(POC-ATTACHED IMAGE):-
1.Go To- mxtoolbox.com/DMARC.aspx
2.Enter the Website.CLICK GO.
3.You Will See the fault(DMARC Quarantine/Reject policy not enabled)
1)Publish DMARC Record.
2)Enable DMARC Quarantine/Reject policy
3)Your DMARC record should look like
“v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:[email protected]”
Let me know if you need me to send another forged email, or if have any other questions.
Hoping for the bounty for my ethical Disclosure.