Hi Team A DMARC record is the record where the DMARC rulesets are defined. This record informs the ISPs (like Gmail, Microsoft, Yahoo! etc.) if a domain is set up to use DMARC. The DMARC record contains the policy. The DMARC record should be placed in your DNS. The TXT record name should be “_ dmarc.yourdomain.com.” where “yourdomain.com” is replaced with your actual domain name (or subdomain). After DMARC has been implemented, it allows you to: Monitor, detect, and fix real-world problems with your email delivery See the email volumes you are delivering to inboxes (including which ones) Identify threat emails pretending to come from your domain (i.e., spoofing/phishing) Control the delivery of your email and defend against spoofing attacks. Steps To Reproduce: 1) Checking Missing DMARC:- There Are Various Ways of Checking Missing DMARC Records on a website But the Most Common and Popular way is mxtoolbox.com Steps to Check DMARC Records on a website:- Go to https://mxtoolbox.com Enter target ex: <http://layahealthcare.ie>sparta.eu <http://layahealthcare.ie> Not Add https/http or www) Hit MXlookup (IF ANY) OR you can simply on this link=> https://mxtoolbox.com/SuperTool.aspx?action=mx%3a <https://mxtoolbox.com/SuperTool.aspx?action=mx%3alayahealthcare.ie&run=toolpage> <https://mxtoolbox.com/SuperTool.aspx?action=mx%3alayahealthcare.ie&run=toolpage> sparta.eu <http://layahealthcare.ie>&run=toolpage <https://mxtoolbox.com/SuperTool.aspx?action=mx%3alayahealthcare.ie&run=toolpage> If You seem any DMARC Record than Domain is Not Vulnle but still it can be vulnerable if you set "Policy for domain p=none" 2) Attack Scenario & PoC:- Once There is No DMARC Records. An Attacker Can Spoof Email Via any Fake Mailer Like Emkei.cz.An Attacker Can Send Email From name "Support" and Email: &quot;support(a)target.com&quot; With Social Engineering Attack He Can TakeOver User Account Let Victim Knows the Phishing Attack but When He See The Email from the Authorized Domain.He Got tricked Easily Exploit: Name: Hacked Email: security(a)sparta.eu &lt;security(a)layahealthcare.ie&gt; To - your email address etc 3) It will directly send a mail from security(a)sparta.eu &lt;security(a)layahealthcare.ie&gt; you in inbox, not in spam. Solution Once SPF and DKIM are in place, you configure DMARC by adding policies to your domain’s DNS records in the form of TXT records (just like with SPF or DKIM). The TXT record name should be dmarc.yourdomain.com where yourdomain.com is replaced with your actual domain name (or subdomain)and set Policy for domain p=reject For more details visit: https://www.dmarcanalyzer.com/how-to-create-a-dmarc-record Impact Attacker can use official career mail of security(a)sparta.eu &lt;security(a)layahealthcare.ie&gt; for phishing attack. Career email of sparta.eu <http://layahealthcare.ie> is security(a)sparta.eu &lt;security(a)layahealthcare.ie&gt; At it is from official mail, user will definitely trust it and will be tricked in phishing Thankspoo