Spoof emails when SPF is present but DMARC is not allowing you to spoof the sender
Email Spoof Attack Components
Recently, during my research, I came across an organization that was using O365 for emails. While, during the initial recon, I skipped over the fact that they didn't have a DMARC, it clicked me when I was reading over my notes.
Email Provider : O365
SPF: Exists (v=spf1 ip4:192.168.0.0/24 -all)
DMARC: Do not exist
If you don't like nslookup commands, you can check this on MXtoolbox as well
DMARC of the domain doesn't exist
TIP: If it exists check if p=None is set. p=none means DMARC policy of reject or quarantine isn't enforced
An email consists of two parts an SMTP envelope and Message data. Below is a pictorial representation
Breakdown of two parts of an email
SPF verifies HELO/EHLO
DKIM: Verify the DKIM-signature of the sender
DMARC: checks alignment between 'From' and 'Mail From'
SPF and DKIM verification fields
In Conclusion, if DMARC isn't present, there is no way to verify the alignment between the 'MAIL FROM' and 'FROM' fields. If the receiving user only sees 'FROM' then an attacker is free to forge anything. Simply put, an attacker can put any email address he likes in the 'FROM' field and the receiving user will see that the email is coming from the forged 'FROM' address.
Current Exploitation Methods:
Quick guides I found on exploiting DMARC not present issue also known as "SPF-BYPASS" are as follows