This is my first blog so ignore if i make any mistakes.

Image for post

After spending 2 to 3 months looking for bugs i couldn’t find anything. So i went on HackerOne’s Hacktivity page where you can read disclosed reports of vulnerabilities reported by researchers.

As i was reading the reports i found this vulnerability that i didn’t know about.

The vulnerability was that you can spoof their email address and then the attacker can send emails from their email address which could lead to sending fake emails or attempts of phishing.

To see if you can send an email of a target domain you need to check if it has an SPF (Sender Policy Framework) Record. Its basically a framework that checks which hosts are authorized to send mail for a domain.

To check this visit There are many websites to check this but i find this very simple. Just type the domain name and click on Get SPF Record (if any).

For eg: If you receive an email like then type

Image for post

If you get No valid SPF record you probably can send an email using that domain. To send an email visit . A lot of websites are available to send emails i just find this easy to use and the emails are received fairly quick. Fill in all the details and hit send and if you receive an email from that domain its vulnerable.

I tried this on the websites that i used to hack and 3 of them didn’t have the SPF record and so i reported them and after a few days they replied.

Image for post
Image for post
Image for post

The first one turned out duplicate which led me thinking that the other two would be duped as well cause how easy it was to find, but they turned out to be valid and i received a bounty for it. 😁

Hope you find this useful, i tried my best to explain. Please share so that others can learn from it.

Thank You.

Bug-Bounty | Pentester

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store