how I found an Email Spoofing bug in less than 5 minutes

Assalamu Alaikum

In this article I will show you how I found an Email Spoofing vulnerability in one website that belongs to Doppler.

Before we start, I will like to give a simple explanation on Email Spooling,

Email spoofing is the creation of email messages with a forged sender address. The core email protocols do not have any mechanism for authentication, making it common for spam and phishing emails to use such spoofing to mislead or even prank the recipient about the origin of the message.

Firstly as my methodology of hacking(as a beginner) I use to start with checking simple issues on a website that does not required advance skills, so I started by checking clickjacking but I found that the site(doppler.team) is secured against that, so I now think of checking whether the site is secured against Email Spoofing, luckily using this site mxtoolbox.com I found that No DMARC Record was found for it, so I now used https://emkei.cz/ to send a fake mail to my email using admin@doppler.team and it works perfectly I received the message as expected.

Then I decided to report it to the team, in less than an hour, it was triaged, resolved, agreed to be disclosed publicly.

you can read the full report here:

https://hackerone.com/reports/1071521

Doppler disclosed on HackerOne: email spoofing on doppler.team

You can also watch the video made for demonstration here:

https://www.youtube.com/watch?v=x4syqK5hzlI