Many organizations and pen testers treat email spoofing as an afterthought. Something to check manually with dig commands or one-off Python scripts. But misconfigurations in SPF and DMARC records remain a relatively easy way to compromise an organization through spear-phishing.
This Nuclei template brings email security checks into your reconnaissance phase, right alongside subdomain enumeration and service discovery.
What It Checks
The template implements spoofability logic from Spoofy—a tool created by Matt Keeley, built on empirical testing against Microsoft 365, Gmail, and ProtonMail. The patterns show that behavior varies from the RFCs depending on vendor implementation.
The template identifies several high-confidence misconfigurations, a subset of what Spoofy identifies.
SPF Issues
- Missing SPF records entirely
+allpolicies (accepts mail from anywhere)?allneutral policies (no enforcement)- Excessive includes that likely exceed the 10 DNS lookup limit
DMARC Issues
- Missing DMARC records
p=nonepolicies (monitoring only, no enforcement)- Low percentage enforcement (
pct=less than 100) - Weak subdomain policies that leave
*.example.comexploitable
Not Every Edge Case
The template documents an caveat - spoofability depends on receiving mail server behavior. A misconfiguration might be exploitable against one provider but not another. Microsoft 365 handles DMARC failures differently than Gmail, which handles them differently than a custom mail server with aggressive filtering.
This template identifies the misconfiguration that makes spoofing possible, and you can triage from there based on your target's mail infrastructure. It's also not comprehensive - you can check out the master table xlsx file in the Spoofy repo for that.
Running It
That's it. The template queries both the domain's TXT records and _dmarc.{FQDN} automatically, applies all the matchers, and extracts the relevant policy details for your report.
For bulk assessments across subsidiaries or acquired companies, this is simpler than running an additional tool. For red teams, use it as useful recon data that feeds into your pretexting and phishing campaigns.
In Summary
There's no partial credit for a p=none DMARC policy.
The template respects severity - these are marked as low severity findings because exploitability depends on additional factors. But low severity doesn't mean low impact when an finance admin gets a convincing spear-phish from their CFO's email address.
Grab the template, drop it in your Nuclei workflows, and stop context-switching to check email security. These domains aren't hiding their misconfigurations; you just need to look.
