MailFail identifies and provides commands to exploit a large number of email-related misconfigurations for the current domain and subdomain within a web browser. The extension's UI popup highlights any misconfigurations in red and links to the supporting documentation.
Try out the extension on the website https://www.blackhillsinfosec.com/mailfail/
Part 1 of this research was presented during a BHIS webcast and Part 2 as a Wild West Hackin' Fest 2024 talk. Both Youtube links are provided below.
On top of the checks done by the extension, listed below, each section header includes a link to a resource that autofills the domain and runs checks. Additionally, the four logos at the top of the popup are especially helpful and provide the following functions (from left to right):
- Checks if the MX domain can be used as an open relay
- Links to hunter.io which finds email addresses used by the domain
- Uses MXToolbox to run a "domain health" report
- Attempts to send a relayed email using the mail server
|  A DKIM selector uses a weak RSA key that can be cracked and used to sign spoofed emails. |  The zone file was enumerated including potentially hidden DKIM and ARC selectors. | 
  
A weak DNSKEY algorithm is used.
- Does the record start with v=spf1?
- Do the IPv4 address ranges specified include an SMTP open relay?
- Does the record not include a catch all mechanism but does include a redirect?
- Does the record include ?all or +all which doesn't enforce SPF?
- Does the record defer to a redirect?
- Does the record use -all (hardfail) that isn't recommended?
- Does the record use the PTR mechanism which is marked as "DO NOT USE" in the RFC?
- Does the record use MailChannels and have "Domain Lockdown" configured?
- Does the record use multiple pairs of double quotes which can have consequences?
- Are the domains referenced within the record available to purchase?
- Is a _spf record used which is no longer supported?
- Does the domain and subdomain have an SPF record?
- Is there more than one SPF record?
- Is the pct= lower than 100?
- Does the record start with v=DMARC1?
- Is the policy set to quarantine or reject?
- Is the policy missing?
- Is the subdomain policy set to none?
- Is fo=1 but ruf= is missing/present?
- Is rua= or ruf= malformed?
- If the pct= is lower than 100 the policy enforced is reduced.
- If the pct= is lower than 100 the subdomain policy enforced is reduced.
- Are the domains referenced within the record available to purchase?
- Does the subdomain policy default to the root policy?
- OSINT link to DMARC.live.
- Is a CNAME used by DMARC?
- Can the domain and subdomain emails be spoofed?
- Is there more than one DMARC record?
- Are the domains specified in RUA and RUF configured correctly to receive emails?
- Are the domains specified in RUA and RUF configured to receive DMARC reports from any website?
- Brute force common DKIM selectors.
- Does the record use a short key length? (<1024)
- Can the private key be cracked?
- What is the base-10 public key modulus?
- Does the record start with v=DKIM1?
- Check for weak RSA hashing algorithms.
- Check for DKIM testing mode.
- Brute force common ARC selectors.
- Does the record use a short key length? (<1024)
- Can the private key be cracked?
- Does a BIMI record exist?
- Does the record start with v=BIMI1?
- Does the record use an SVG image?
- If the record includes a certificate, parse the metadata.
- If the record points to outlook, is Microsoft direct send enabled externally?
- Is the record valid?
- Does the record start with v=STSv1?
- Is the well known MTA-STS file in testing mode?
- Does the MTA-STS file have an active policy?
- Is DANE used for SMTP?
- A command is provided to verify the correctness of each record.
- Is the usage flag incorrectly set for SMTP?
- Is the selector flag incorrectly set for SMTP?
- Is the Matching-type flag incorrectly set for SMTP?
- Is the record valid?
- Is DNSSEC used?
- Is each record a zone-signing key or a secure entry point?
- What algorithm is used and is it secure?
- Is the protocol field set to 3?
- Does the record start with v=TLSRPTv1?
- Does the record use HTTP instead of HTTPS?
- Is an ADSP record available? This protocol is considered "dead" and has been superseded by DMARC.
- Is a MailChannels record found?
- Is it configured to use CloudFlare workers?
- Is NSEC used by DNSSEC?
- Can you NSEC-walk the zone file?
- Are "black lies" used?
- Commands are provided to NSEC-walk locally.
- Is NSEC3 used by DNSSEC?
- Return a subset of the NSEC3 hashes.
- Provide the commands to extract all NSEC3 hashes locally.
- Which hashing algorithm is used?
- Which salt is used?
- Does the server advertise IMAP, POP, or SMTP services?
- Monero Address: 89jYJvX3CaFNv1T6mhg69wK5dMQJSF3aG2AYRNU1ZSo6WbccGtJN7TNMAf39vrmKNR6zXUKxJVABggR4a8cZDGST11Q4yS8
Display notifications to you
- This is needed so the addon can alert you when a severe misconfiguration is discovered. Access browser tabs
- This is needed so the addon can display the proper number of misconfigurations on a per-tab basis.
By using MailFail, you agree to use it solely for lawful and ethical purposes, specifically for authorized penetration testing and security research with the explicit, written consent of the system owner. Unauthorized use of this tool against third-party systems without permission is strictly prohibited and may constitute a violation of local, national, or international laws. You are solely responsible for ensuring your use complies with all applicable regulations. The developers and distributors of MailFail disclaim all liability for any misuse or damage resulting from its use and provide the tool “as-is” without warranties of any kind. By using the tool, you agree to indemnify and hold harmless its creators from any claims, damages, or legal consequences arising from your actions. Continued use of the tool following any updates to these terms constitutes your acceptance of the revised Terms of Service.


