Security Vulnerability - SMTP protection not used

Hi, I'm checking your website found SPF record there. You should apply strict SMPT policy to stop spoofed email sending from your domain. An attacker would send a Fake email from [email protected] saying that Please change your password, The victim is aware of phishing attacks, But when he sees that the mail originated from [email protected] , He has no other way than to believe it. Clicking on the link takes him to a website where certain JavaScript is executed which steals his Id and password (SESSION COOKIE). The results can be more dangerous. <?php $to = "[email protected]"; $subject = "Password Change"; $txt = "Change your password by visiting here - [VIRUS LINK HERE]"; $headers = "From: [email protected]"; mail($to,$subject,$txt,$headers); ?> Fix : Your SPF record is: Found v=spf1 record for mixmax.com: v=spf1 include:mailgun.org include:spf.mandrillapp.com include:_spf.google.com include:spf.mail.intercom.io include:customeriomail.com include:helpscoutemail.com include:spf.autopilothq.com include:sendgrid.net ~all It should be: Found v=spf1 record for mixmax.com: v=spf1 include:mailgun.org include:spf.mandrillapp.com include:_spf.google.com include:spf.mail.intercom.io include:customeriomail.com include:helpscoutemail.com include:spf.autopilothq.com include:sendgrid.net -all I strongly recommend you to read this article : https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability You can check your SPF here: http://www.kitterman.com/spf/validate.html The problem : The article clearly shows difference between softfail and fail you should be using fail as Softfail allows anyone to send spoofed emails from your domains. in your SPF record you should replace ~ with - at last before all , - is strict which prevents all spoofed emails except if you are sending. Your bug is that you are using ~ , you should use -