Home

Awesome

mailspoof PyPI version build codecov

Scans SPF and DMARC records for issues that could allow email spoofing.

Description

Email spoofing is alive and well. Many organisations' SPF and DMARC records do not provide the necessary guidance for recipients to validate the authenticity of emails bearing their domain names.

mailspoof can be used by organisations, pentesters and red-teamers to quickly sift through a large list of domains for lax SPF and DMARC policies.

In some cases mailspoof could highlight spoofable external domains that employees are likely to trust, such as suppliers gathered from OSINT or other known organisations.

Email spoofing may be successful against recipients that manage their filtering themselves. Large email providers like GMail have the big data and the heuristics to efficiently handle spam. For example, GMail will likely forward a spoofed email from a common domain directly to the spam folder, even if the email doesn't fail validation due to lax policies.

Installation

$ pip3 install mailspoof

Examples

CLI

mailspoof outputs JSON, making it easy to query with a tool like jq.

$ printf "google.com\napple.com\nmicrosoft.com" > /tmp/list
$ mailspoof -d github.com -d reddit.com -iL /tmp/list
[
  {
    "domain": "google.com",
    "issues": [
      {
        "code": 4,
        "title": "'SoftFail' qualifer for 'all' mechanism",
        "detail": "The 'all' mechanism uses the 'SoftFail' qualifer '~'. It should be possible to spoof the domain by only causing a soft SPF failure. Most fil
ters will let this through by only raising the total spam score."
      }
    ]
  },
  ...
]

Python

You can use mailspoof in your own Python scripts:

$ python
>>> import mailspoof
>>> mailspoof.scan('google.com')
[{'code': 4, 'title': "'SoftFail' qualifer for 'all' mechanism", 'detail': "The 'all' mechanism uses the 'SoftFail' qualifer '~'. It should be possible to spoof the domain by only causing a soft SPF failure. Most filters will let this through by only raising the total spam score."}]

Checking Unregistered Domains

mailspoof can check the registration status of domains in an SPF record, including included domains (see issue code 6 below). If any domains are found to be unregistered, attackers may register the domain and inject SPF mechanisms.

The registration status will only be checked if there is an environment variable WHOAPI_KEY with a valid key for whoapi.com. At the time of writing the service offers 500 API calls with a free account.

Issues

The following SPF and DMARC issues are currently checked:

CodeTitleDetail
0Non-existent domainThe DNS resolver raised an NXDomain error for "{domain}"
1No SPFThere is no SPF DNS record for the domain.
2No "all" mechanismThere is no all mechanism in the record. It may be possible to spoof the domain without causing an SPF failure.
3"Pass" qualifer for "all" mechanismThe "all" mechanism uses the "Pass" qualifer "+". It should be possible to spoof the domain without causing an SPF failure.
4"SoftFail" qualifer for "all" mechanismThe "all" mechanism uses the "SoftFail" qualifer "~". It should be possible to spoof the domain by only causing a soft SPF failure. Most filters will let this through by only raising the total spam score.
5Too many lookups for SPF validationThe SPF record requires more than 10 DNS lookups for the validation process. The RFC states that maximum 10 lookups are allowed. As a result, recipients may throw a PermError instead of proceeding with SPF validation. Recipients will treat these errors differently than a hard or soft SPF fail , and some will continue processing the mail.
6Unregistered domains in SPF validation chainOne or more domains used in the SPF validation process are presently unregistered. An attacker could register these and configure his own SPF record to be included in the validation logic. The affected domains are: {domains}
7No DMARCThere is no DMARC DNS record associated for the domain.
8Lax DMARC policyThe DMARC policy is set to "{policy}". If the DMARC policy is neither "reject" nor "quarantine", spoofed emails are likely to be accepted.
9Lax DMARC subdomain policyThe DMARC policy for subdomains is set to "{policy}". If the DMARC policy is neither "reject" nor "quarantine", spoofed emails from subdomains are likely to be accepted.
10Partial DMARC coverageThe DMARC "pct" value is "{pct}", meaning the DMARC policy will only be applied to {pct}% of incoming mail.
11DNS Timeout during ScanThere was a DNS timeout when querying '{domain}'.
12Trivial SPF recurseInfinite recurse loop with the domain {recursive_domain} included in the validation chain for {domain}.