Missing SPF for hackerone.com
No SPF/TXT records existed for the domain hackerone.com. This means the emails could be sent from any source claiming to be from the domain hackerone.com.
How To Perform
- Check a domain's SPF records using tools like
- If no records are found then this domain is vulnerable.
Hackerone's current SPF record is this
v=spf1 include:_spf.google.com include:amazonses.com include:mail.zendesk.com include:spf.mail.intercom.io include:mktomail.com include:_spf.salesforce.com -all
The SPF record gives instruction to the email receiver about what to do with an email that failed to meet the parameters via the suffix:
- +all = pass = email will be accepted
- ?all = neutral = email will be accepted
- ~all = soft fail = will be accepted, but marked as potential spam
- -all = fail = will be rejected