--- title: "Detecting DMARC Issues Through Pentesting | DMARC Report" description: "DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header." image: "https://dmarcreport.com/og/blog/detecting-dmarc-issues-through-pentesting.png" canonical: "https://dmarcreport.com/blog/detecting-dmarc-issues-through-pentesting/" --- Quick Answer DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google's February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users. Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdetecting-dmarc-issues-through-pentesting%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Detecting%20DMARC%20Issues%20Through%20Pentesting&url=undefined%2Fblog%2Fdetecting-dmarc-issues-through-pentesting%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdetecting-dmarc-issues-through-pentesting%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdetecting-dmarc-issues-through-pentesting%2F&title=Detecting%20DMARC%20Issues%20Through%20Pentesting "Share on Reddit") [ ](mailto:?subject=Detecting%20DMARC%20Issues%20Through%20Pentesting&body=Check out this article: undefined%2Fblog%2Fdetecting-dmarc-issues-through-pentesting%2F "Share via Email") ![Detecting DMARC Issues Through Pentesting](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) ## Try Our Free DMARC Checker Validate your DMARC policy, check alignment settings, and verify reporting configuration. [ Check DMARC Record → ](/tools/dmarc-checker/) DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible `From` header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least `p=none` is now mandatory for any domain sending 5,000+ messages per day to Gmail users. Pen testing or penetration testing is defined as an authorized and strategized [simulated cyberattack](https://www.picussecurity.com/resource/glossary/what-is-an-attack-simulation#:~:text=The%20primary%20purpose%20of%20a,different%20types%20of%20cyber%20threats.) performed \*\*to explore the vulnerabilities of a technical system. Sounds complicated? Here’s a simpler explanation- > The organizations that invest in email authentication early save themselves from expensive incidents later, says Vasile Diaconu, Operations Lead at DuoCircle. We see the pattern constantly: a domain gets spoofed, customers lose trust, and the remediation effort costs 10x what proactive DMARC setup would have cost. So, companies hire a penetration tester who breaks into their system just like a hacker would do. They try to take note of all the [security loopholes that a malicious actor can exploit](https://www.scmagazine.com/news/attackers%5Fsalesforce%5Ffacebook-phishing-attacks) to access, alter, and intercept important information, install malware, **send fraudulent emails,** etc. Now, in the context of [DMARC](https://dmarcreport.com/), it means a pen tester would \*\*break into your email system and find out vulnerabilities and errors associated with SPF, DKIM, and DMARC to help you fix them \*\*before a threat actor identifies and exploits them in their favor. ## SPF, DKIM, and DMARC- Touching the Bases Briefly SPF stands for Sender Policy Framework. It allows only messages sent from IP addresses and mail servers listed in an [SPF record](https://dmarcreport.com/tools/spf-record-generator/) to land in the inboxes. Emails sent from any other sending sources are either marked as spam or rejected to prevent recipients from falling prey to [phi](https://www.einnews.com/pr%5Fnews/674766398/new-research-54-of-indian-domains-are-vulnerable-to-phishing-and-spoofing)[shing and spoofing attacks](https://www.einnews.com/pr%5Fnews/674766398/new-research-54-of-indian-domains-are-vulnerable-to-phishing-and-spoofing). [DKIM](https://dmarcreport.com/what-is-dkim/) stands for DomainKeys Identified Mail. It performs sender verification checks by matching a pair of [cryptographically secured keys](https://www.thesslstore.com/blog/cryptographic-keys-101-what-they-are-how-they-secure-data/); these are called public and private keys. Apart from **sender authentication**, it also helps in learning if email content has been tampered with in transit. ![Dmarc analyzer](https://media.mailhop.org/dmarcreport/images/2023/12/dmarc-analyzer-32.jpg) DMARC is short for DomainBased Message Authentication, Reporting, and Conformance. It’s basically built on [SPF](https://dmarcreport.com/what-is-spf/) and DKIM results and supplements SMTP, as SMTP itself doesn’t include any dedicated mechanisms for setting policies for [email authentication](https://dmarcreport.com/blog/spf-vs-dkim-vs-dmarc-difference-explained-2026/). DMARC allows you to instruct recipients on how they should deal with emails that are sent from your domain but happen to fail SPF and/or DKIM checks . You can choose one of the policies: ## None \*\*No action should be taken against potential phishing messages. ## Quarantine _All potential phishing messages sent from your domain should be placed in recipients’ **spam folders**_. ## Reject All potential phishing messages sent from your domain should be **rejected**, also called as [bounced-back](https://www.activecampaign.com/glossary/bounced-email). ## Why Should Companies Prioritize DMARC? Companies pay attention and **invest in cybersecurity**, however, they often overlook the importance of one of its major branches, which is [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/). As many as [90% ](https://www.cisa.gov/shields-up#:~:text=Think%20before%20you%20click.,numbers%2C%20or%20other%20sensitive%20information.)of successful cyberattacks emerge from a **phishing email**, so it isn’t really a safe practice to avoid email security, specifically DMARC. DMARC is like a superhero for emails! It helps protect us from bad things like [fake emails trying to trick](https://indianexpress.com/article/cities/pune/pune-man-cheated-of-rs-2-7-lakh-with-us-job-offer-sent-from-embassys-fake-email-id-8901954/) us or pretending to be from someone they’re not. Imagine it as a shield that ensures only real and safe emails get through. _It also keeps an eye on how our emails are doing, giving us important information to make them even more secure_. So, in simple terms, DMARC is our **email guardian**, ensuring we’re safe from sneaky tricks and keeping our emails trustworthy. ## Standard Process of Simulating an Authorized Phishing Email Attack A pen tester sets up a [VPS or virtual private server](https://www.ibm.com/topics/vps) and a domain, followed by downloading a tool and sending emails from the purchased domain. Let the domain name be testingdomain.com. So, once they purchase the domain testingdomain.com, they replace the nameserver with a different one. [Cloudflare](https://dmarcreport.com/blog/which-dns-providers-make-it-easiest-to-add-a-dmarc-record/) is a commonly preferred nameserver. In Cloudflare, they go to the \*\*DNS panel and delete anything under the ‘DNS management’ section for a successful simulated attack. Then, after scrolling down and replacing the given nameserver in the dedicated section of the domain service provider, a pen tester gets an \[API key\](.) for the configuration file. _This is followed by **creating a token**, which redirects them to a page where they click on ‘Use Template’ right next to the ‘Edit zone DNS’ box. The received key is then saved for the forthcoming steps_. ## How Do You Configure Up the VPS? Sometimes, they have to repeat this step due to VPS [IPs’ bad reputation](https://www.ipxo.com/blog/what-is-ip-reputation/), which disables \*\*mail services to deliver your messages. Then they follow these steps- - Carefully setting the hostname. - Login into the VPS and typing: `_apt-get install git_ and _apt-get update && apt-get install docker-compose_` - Cloning the **GitHub repository**. - Going to the newly created directory. - Editing the settings file and adding the domain and the API key. In the next \*\*8-10 minutes\*\*, the server sets up fully. ## Sending the Phishing Email Then, finally, a **pen tester sends a phishing email**. _Once this is done, they create a report mentioning all the security loopholes and suggest remediation methods_. ## Final Thoughts While penetration testing is highly effective, it’s expensive to outsource the job to an agency or onboard an in-house pen tester. With respect to **DMARC penetration testing**, we suggest you use [online DMARC lookup tools](https://mxtoolbox.com/dmarc.aspx#:~:text=The%20DMARC%20Record%20Lookup%20%2F%20DMARC,diagnostic%20checks%20against%20the%20record.) instead. These are free or cheap tools that highlight all the existing errors in the queried domain’s [DMARC record](https://dmarcreport.com/dmarc-record/). _You can conduct annual pen tests and fortnightly or monthly DMARC lookups_. A combination of these practices would ensure \*\*impactful email security while not creating a hole in your pocket. ![Dmarc report](https://media.mailhop.org/dmarcreport/images/2023/12/dmarc-report-5718.jpg) We can help you with [DMARC reporting and monitoring](https://dmarcreport.com/blog/easydmarc-alternatives-dmarc-reporting-2026/) to get insights into your **domain’s traffic**. [Book a demo here](https://dmarcreport.com/book-a-demo/). ## Topics [ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ dmarc record ](/tags/dmarc-record/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/) ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 7m 4 sectors that need email authentication the most and why Oct 15, 2024 ](/blog/4-sectors-that-need-email-authentication-the-most-and-why/)[ Foundational 4m 8 Misconceptions About DMARC and its Deployment for Businesses Dec 4, 2023 ](/blog/8-misconceptions-about-dmarc-and-its-deployment-for-businesses/)[ Foundational 8m 9 technologies to protect your emails from cyber actors Dec 10, 2024 ](/blog/9-technologies-to-protect-your-emails-from-cyber-actors/)[ Foundational 14m Add TXT Record on Namecheap (SPF, DKIM & DMARC) - 2026 Mar 5, 2025 ](/blog/add-txt-record-on-namecheap-a-complete-dns-guide/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Detecting DMARC Issues Through Pentesting","description":"DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header.","url":"https://dmarcreport.com/blog/detecting-dmarc-issues-through-pentesting/","datePublished":"2023-12-13T13:04:09.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2023-12-13T13:04:09.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/detecting-dmarc-issues-through-pentesting/"},"articleSection":"foundational","keywords":"dkim, DMARC, dmarc record, email security, SPF","wordCount":946,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"Detecting DMARC Issues Through Pentesting","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Detecting DMARC Issues Through Pentesting","item":"https://dmarcreport.com/blog/detecting-dmarc-issues-through-pentesting/"}]} ```