Many organizations and pen testers treat email spoofing as an afterthought. Something to check manually with dig commands or one-off Python scripts. But misconfigurations in SPF and DMARC records remain a relatively easy way to compromise an organization through spear-phishing.

This Nuclei template brings email security checks into your reconnaissance phase, right alongside subdomain enumeration and service discovery.

What It Checks

The template implements spoofability logic from Spoofy—a tool created by Matt Keeley, built on empirical testing against Microsoft 365, Gmail, and ProtonMail. The patterns show that behavior varies from the RFCs depending on vendor implementation.

The template identifies several high-confidence misconfigurations, a subset of what Spoofy identifies.

SPF Issues

• Missing SPF records entirely
• +all policies (accepts mail from anywhere)
• ?all neutral policies (no enforcement)
• Excessive includes that likely exceed the 10 DNS lookup limit

DMARC Issues

• Missing DMARC records
• p=none policies (monitoring only, no enforcement)
• Low percentage enforcement (pct= less than 100)
• Weak subdomain policies that leave *.example.com exploitable

Not Every Edge Case

The template documents an caveat - spoofability depends on receiving mail server behavior. A misconfiguration might be exploitable against one provider but not another. Microsoft 365 handles DMARC failures differently than Gmail, which handles them differently than a custom mail server with aggressive filtering.

This template identifies the misconfiguration that makes spoofing possible, and you can triage from there based on your target's mail infrastructure. It's also not comprehensive - you can check out the master table xlsx file in the Spoofy repo for that.

Running It

nuclei -t dmarc-fail.yaml -l targets.txt

[low-no-dmarc] [dns,spf,dmarc,email,spoofing] example.com

[low-dmarc-policy-none] [dns,spf,dmarc,email,spoofing] subsidiary.example.com


That's it. The template queries both the domain's TXT records and _dmarc.{FQDN} automatically, applies all the matchers, and extracts the relevant policy details for your report.

For bulk assessments across subsidiaries or acquired companies, this is simpler than running an additional tool. For red teams, use it as useful recon data that feeds into your pretexting and phishing campaigns.

In Summary

There's no partial credit for a p=none DMARC policy.

The template respects severity - these are marked as low severity findings because exploitability depends on additional factors. But low severity doesn't mean low impact when an finance admin gets a convincing spear-phish from their CFO's email address.

Grab the template, drop it in your Nuclei workflows, and stop context-switching to check email security. These domains aren't hiding their misconfigurations; you just need to look.

‍