• We value your experience with Plesk during 2025
    Plesk strives to perform even better in 2026. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2025.
    Please take this short survey:
    https://survey.webpros.com/

Forwarded to devs Possible DMARC Bypass - Spoofed MAILER-DAEMON Return-Path Not Rejected

nethubonline

nethubonline

Regular Pleskian
Username:

TITLE

Possible DMARC Bypass - Spoofed MAILER-DAEMON Return-Path Not Rejected

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk 18.0.76, AlmaLinux release 9.4

PROBLEM DESCRIPTION

Inbound spoofed emails are accepted even when SPF, DKIM, and DMARC are properly configured (including DMARC policy set to p=reject), if the attacker forges the envelope sender as MAILER-DAEMON.

Spammers can impersonate system-generated bounce messages by setting:
  • Return-Path: <MAILER-DAEMON> (empty/null sender)
  • From: an address within the protected domain (e.g., [email protected])
These messages are delivered to users instead of being rejected, allowing spoofing despite strict DMARC policy.

STEPS TO REPRODUCE

  1. Configure a domain in Plesk with:
    • DKIM Verify incoming mail: enabled
    • Enable SPF spam protection to check incoming mail: enabled
    • Enable DMARC to check incoming mail: enabled
    • DMARC DNS record set to "v=DMARC1; p=reject; sp=none;"
    • SPF DNS record set to "v=spf1 a mx -all"
  2. Send an email to a mailbox on that domain using a script that forges the envelope sender as MAILER-DAEMON.
    Example PHP script:


    PHP: 
    <?php

$to = "[email protected]";
$subject = "Test Message";
$message = "This is a spoofing email.";
$headers = [];
$headers[] = "From: [email protected]";
$headers[] = "Reply-To: [email protected]";

mail(
    $to,
    $subject,
    $message,
    implode("\r\n", $headers),
    "-f MAILER-DAEMON"
);

  3. Observe whether the message is accepted by the mail server.

ACTUAL RESULT

The spoofed message is accepted and delivered to the recipient's mailbox.

DMARC policy (p=reject) is not enforced for messages using an empty or MAILER-DAEMON envelope sender.

EXPECTED RESULT

The message should be rejected during SMTP reception because:
  • The From domain is spoofed
  • Authentication checks fail alignment
  • DMARC policy is set to reject
Forged bounce messages should not bypass domain authentication protections.

ANY ADDITIONAL INFORMATION

This behavior allows attackers to impersonate system notifications or bounce messages, which may lead to spam delivery or phishing attempts.

The issue appears related to how null senders (<>) or MAILER-DAEMON envelope senders are treated during DMARC evaluation.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
You must log in or register to reply here.

Similar threads

E
Question DMARC p=reject not rejecting spoofed inbound mail (MAILER-DAEMON sender)
Replies
3
Views
1K
enduser
E
E
Issue DMARC p=reject causes locally generated DSNs (MAILER-DAEMON) to be silently discarded
Replies
2
Views
1K
enduser
E
nethubonline
Forwarded to devs Plesk DMARC checker parses invalid TXT records that do not start with "v=DMARC1;" - deviates from RFC 7489
Replies
2
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
TorbHo
Issue IONOS emails rejected with "dmarc: stderr: REJECT" although DMARC check is disabled
Replies
2
Views
1K
hschramm
hschramm
nisamudeen97
Question Unable to handle email bounce back of spoof email with sender and receiver the same
Replies
0
Views
1K
nisamudeen97
nisamudeen97
Back
Top