Email Spoofing & SPF/DKIM/DMARC Cheat Sheet

Public, copy-ready DNS recon, SPF/DKIM/DMARC interpretation, authorized swaks spoof testing, and header analysis for authorized email security assessments. (28 payloads)

Try it interactively with the Email Header Analyzer

Enumerate DNS Records (SPF/DMARC/MX/DKIM)

(6)

dig +short TXT example.com

Pull all TXT records for the domain; the SPF record is the one starting with "v=spf1".Apex domain — SPF must live at the organizational domain, not a subdomain

dig +short TXT _dmarc.example.com

Fetch the DMARC policy record (always at the _dmarc subdomain). Absence here means no DMARC at all.Look for v=DMARC1; p=...; rua=...

dig +short MX example.com

List mail exchangers to identify the mail provider (Google, Microsoft 365, Proofpoint, etc.) and inform DKIM selector guesses.

dig +short TXT selector1._domainkey.example.com

Query a specific DKIM public-key record. DKIM keys live at <selector>._domainkey.<domain>.selector1/selector2 = Microsoft 365; google = Workspace

for s in google selector1 selector2 default dkim k1 mail s1 s2 smtp; do echo "== $s =="; dig +short TXT ${s}._domainkey.example.com; done

Brute-force common DKIM selectors since selectors aren't discoverable via DNS — only known by reading a real signed email or guessing.DKIM selectors are not enumerable; harvest the real one from a received email's DKIM-Signature s= tag

dig +short TXT example.com @8.8.8.8

Query a specific public resolver to bypass stale local caches or split-horizon DNS and confirm what the world actually sees.

Interpret SPF Mechanisms & Qualifiers

(5)

v=spf1 include:_spf.google.com ~all

Typical SPF: authorizes Google's senders, soft-fails (~all) everything else. ~all only marks non-listed senders as suspicious, not rejected.~all = SoftFail, -all = HardFail (strict), ?all = Neutral (no opinion), +all = pass everything (broken)

v=spf1 +all

Critical misconfig: authorizes the entire internet to send as the domain. Effectively disables SPF.Report as high severity — anyone passes SPF

dig +short TXT example.com | grep -o 'include:[^ "]*'

Extract every include: mechanism to map the full set of authorized third-party senders (CRM, marketing, ticketing platforms).

v=spf1 ... include:a include:b include:c include:d include:e include:f include:g ~all

Count DNS lookups (include/a/mx/ptr/exists/redirect). More than 10 causes a permerror, silently breaking SPF for all receivers.RFC 7208 hard limit = 10 DNS-querying mechanisms; >10 = permerror = SPF fails open

dig +short TXT _netblocks.google.com

Recursively resolve nested SPF includes to enumerate the actual authorized IP ranges behind an include macro.

Interpret DMARC Policy & Alignment

(4)

v=DMARC1; p=none; rua=mailto:[email protected]

Monitoring-only policy. p=none means failures are reported but NOT rejected/quarantined — spoofed mail still lands. Common exploitable gap.p=none = report-only; spoofing largely succeeds at the receiver

v=DMARC1; p=reject; sp=none

Subdomain gap: parent enforces reject but sp=none leaves every subdomain unprotected, so spoofing sub.example.com passes DMARC.sp= overrides policy for subdomains; sp=none is a frequent oversight

v=DMARC1; p=quarantine; pct=10

Partial enforcement: only 10% of failing mail is quarantined; 90% is delivered. pct<100 substantially weakens enforcement.pct applies the policy probabilistically — pct=100 is full enforcement

v=DMARC1; p=reject; adkim=r; aspf=r

Relaxed alignment (default). adkim=s / aspf=s require strict (exact-domain) alignment. Relaxed allows subdomain alignment — note when assessing.Alignment ties the visible From: domain to the SPF/DKIM authenticated domain

Authorized Spoof Testing (swaks)

(5)

swaks --to [email protected] --from [email protected] --server mail.target.com --header "Subject: SPF/DMARC test" --body "Authorized spoof test"

Send a test message with a forged From: to confirm whether the target's inbound mail flow accepts spoofed internal-looking mail.ONLY against domains/recipients in your signed scope — coordinate with the blue team to avoid incident escalation

swaks --to [email protected] --from [email protected] --server <target-mx> --ehlo attacker.test

Test outbound spoofing: send AS the target domain to a mailbox you control, then inspect the resulting headers for SPF/DKIM/DMARC verdicts.Deliver to a mailbox you own so you can read Authentication-Results

swaks --to [email protected] --from "CEO <[email protected]>" --header "From: CEO <[email protected]>" --server <relay>

Test display-name / From-header spoofing — the visible From: is what users see and what DMARC aligns against.Header From (RFC 5322) is what DMARC checks, not the envelope MAIL FROM

swaks --to [email protected] --from [email protected] --header "From: [email protected]" --server <relay>

Demonstrate the SPF/DMARC alignment bypass concept: envelope sender differs from the header From, testing whether DMARC alignment catches it.Tests whether unaligned envelope+header is correctly rejected

swaks --to [email protected] --from [email protected] --server mail.target.com --tls --quit-after RCPT

Recon without sending a payload: stop after RCPT TO to verify the server accepts the spoofed sender/recipient pair, minimizing footprint.--quit-after RCPT probes acceptance without delivering a body

Header Analysis (Received / Authentication-Results)

(4)

grep -i "Authentication-Results" received-email.eml

Read the receiver's verdict line showing spf=, dkim=, and dmarc= results — the authoritative record of pass/fail for the message.e.g. spf=fail dkim=none dmarc=fail action=oreject

grep -iE "^(Received|Received-SPF):" received-email.eml

Trace the full hop-by-hop delivery path (bottom = origin) to identify the true sending IP versus the claimed From: domain.

grep -i "DKIM-Signature" received-email.eml | grep -o 's=[^;]*'

Extract the DKIM selector (s=) from a real signed message — the only reliable way to learn an unknown selector for later DNS lookup.Then: dig TXT <selector>._domainkey.<d= domain>

grep -i "Return-Path\|^From:" received-email.eml

Compare envelope sender (Return-Path / MAIL FROM) against header From: — a mismatch is the core of From-spoofing and DMARC alignment checks.

Common Misconfigs & Quick Audit

(4)

dig +short TXT example.com | grep -ci spf1

Detect multiple SPF records — having two or more v=spf1 TXT records is invalid (permerror) and breaks SPF entirely.RFC 7208: exactly one SPF record per domain

dig +short TXT example.com; echo 'check for: ?all / +all / ~all without -all'

Flag weak SPF enforcement: ~all/?all let unauthorized senders pass soft, and dangling includes to decommissioned vendors enable subdomain takeover spoofing.

dig +short TXT _dmarc.example.com || echo 'NO DMARC — domain fully spoofable'

Missing DMARC entirely means no alignment enforcement; combined with weak SPF, the domain is trivially spoofable.No DMARC record = highest-impact, easiest finding

nslookup -type=txt _dmarc.subdomain.example.com

Check subdomains independently — orgs often harden the apex but leave dev/marketing subdomains with no SPF or DMARC.Subdomains inherit DMARC via sp= only if a parent DMARC exists

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Tools

Email Header Analyzer DNS Record Lookup

Related Cheat Sheets

Post-Exploitation Cheat Sheet Active Directory & Kerberos Cheat Sheet

Frequently asked questions

What is the Email Spoofing & SPF/DKIM/DMARC Cheat Sheet?+

It's a quick-reference collection of 28 Email Spoofing payloads for testing Email Spoofing & SPF/DKIM/DMARC vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Email Spoofing payloads?+

Copy any payload straight into your authorized test, or use the Email Header Analyzer to apply them interactively. Only test systems you have explicit permission to assess.

Are these Email Spoofing payloads free to use?+

Yes — this cheat sheet and all Email Spoofing payloads are completely free, with no account required. Everything runs in your browser.

$loading...