Vulnerable.Live Blog

Missing or Invalid DMARC Records Found? Learn Everything About It


Hey All 👋

Many bug bounty hunters start their journey with low-hanging bugs such as Missing DMARC records, SPF records, etc., so I decided to do a quick beginner-friendly guide for bug bounty hunters. So what exactly are the DMARC records, and why do organizations need DMARC records? I will try to cover everything in this blog post.

What are DMARC Records?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a method of authenticating email messages and indicating to email receivers what to do with messages that fail authentication checks. DMARC also allows mail receivers to aggregate reporting data on messages that fail authentication checks.

DMARC builds on previous email authentication technologies like Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). DMARC was developed by a technical committee of the Internet Engineering Task Force (IETF). DMARC is designed to work with both email marketing messages and messages sent by legitimate email providers.

Understandind DMARC Records

How to check DMARC Records?

Now that we have understood what exactly are DMARC records let's get into the practical part. Checking DMARC records is as easy as ABC.

  1. Visit Vulnerable.Live
  2. Enter Domain Name and Click Enter

That's all you need to do to check DMARC records.

Now let's see how to understand these records to create a good POC.

Missing or Invalid Records, What Next?

After checking DMARC records, if you find that the DMARC records are missing, you can use an email spoofer such as emkei.cz to send a spoofed email. You can use the Download Report option to download an ultimate report for missing DMARC records.

There can be a chance that the company has implemented DMARC records, but those can be invalid.

Check this sample DMARC record.

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Here the value of p is essential. It can either be none, quarantine or reject.

p=none has no effect.

So, If while checking DMARC records, you found that value of p=none. You can head over to email spoofer and send a spoofed email to create a POC. You can download a report for Invalid DMARC records.

Value of p in DMARC Records

If you find this post helpful, share it with your friends 😉

Keep Hunting!!