SMTP protection not used (please read carefully )

Details: Companies like Coinbase, Yahoo,Google,Facebook and even hackerone implemented a strict email security policy (combining SPF, DKIM, and DMARC) but I don't see taht from mailgreenhouse.ioru , You should apply strict SMPT policy to stop spoofed email sending from your domain. POC is attached. Exploit scenario: ----------------------- An attacker would send a Fake email from [email protected] saying that Please change your password, The victim is aware of phishing attacks, But when he sees that the mail originated from [email protected] , He has no other way than to believe it. Clicking on the link takes him to a website where certain JavaScript is executed which steals his greenhouse.io id and password (SESSION COOKIE). The results can be more dangerous. Code to Exploit: ------------------- <?php $to = "[email protected]"; $subject = "Password Change"; $txt = "Change your password by visiting here - [VIRUS LINK HERE]l"; $headers = "From: [email protected]"; mail($to,$subject,$txt,$headers); ?> You should do the fix (see the fix below) To prevent misunderstanding and to protect your users. FIX ---------- Your SPF record is `dig +short greenhouse.io txt "v=spf1 include:sendgrid.net include:spf.recurly.com include:mailgun.org include:servers.mcsv.net ~all` It should be `dig +short greenhouse.io txt "v=spf1 include:sendgrid.net include:spf.recurly.com include:mailgun.org include:servers.mcsv.net -all` I **strongly** recommend you to read this article : https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability **The problem** The article clearly shows difference between softmail and fail you should be using fail as Softmail allows anyone to send spoofed emails from your domains. in your SPF record you should replace `~` with `-` at last before all , `-` is strict which prevents all spoofed emails except if you are sending. Your bug is that you are using`~` , you should use `-`