Critical Misconfiguration in DMARC Policy – Invalid External Destination on vfat.io | Voters

Critical Misconfiguration in DMARC Policy – Invalid External Destination on vfat.io

complete

TTG Cyber

Hi Team,

As part of a routine DNS security audit, I identified a

critical misconfiguration in your domain’s DMARC policy

that renders it non-functional and exposes your email infrastructure to spoofing, phishing, and deliverability issues.

### Vulnerability Summary

Your domain

vfat.io

has a DMARC policy published at

_dmarc.vfat.io

with the following configuration:

v=DMARC1; p=reject; rua=mailto:info@vfat.tools

While it uses the recommended policy (

p=reject

), the configuration includes a

reporting address on an external domain

(

vfat.tools

)

without the required permission record

, causing the entire DMARC policy to be considered

invalid

by mail receivers.

### Impact

Policy Rejection

: Since the external reporting destination is unauthorized, DMARC receivers treat the policy as

invalid

and ignore it.

Spoofing & Phishing Risks

: With the DMARC policy ignored, malicious actors can forge emails that appear to come from

@vfat.io

, potentially targeting your users, partners, or clients.

Failure to Detect Attacks

: No aggregate reports (RUA) are successfully sent, so you lose insight into how your domain is being used or abused.

Deliverability & Compliance Issues

: Many email services check for valid DMARC, and an invalid record can lead to your messages being flagged, blocked, or marked as suspicious—negatively impacting your business communication and legal compliance (GDPR, CAN-SPAM).

### Recommended Fix

To make this policy valid and enforceable:

Publish a permission record
on the destination domain
vfat.tools
at the following location:

vfat.tools TXT _report._dmarc.vfat.io "v=DMARC1"

Alternatively, change the
rua
field to an internal reporting address on the same domain (e.g.,
rua=mailto:dmarc@vfat.io
).
After correcting, validate the updated DMARC record using a DMARC analyzer or an online validation tool.

I recommend treating this as a priority. Kindly let me know if you offer any compensation for responsible vulnerability disclosures. I also have additional findings and critical issues available to share upon confirmation.

Best regards,

Security Researcher

5 days ago

vfat.io

marked this post as

complete

vfat.io

Thank you for the report, we'll get this fixed. Do you have an Ethereum address for the bounty?

TTG Cyber

vfat.io
Thank you for your response and for acknowledging the issue.
Here is my Ethereum (ERC20) address for the bounty:
0x0bcc9d6a3f971e30eb201a2304883d644dc152162
I’d also like to kindly emphasize that the DMARC misconfiguration I reported is of critical severity
, as it exposes your domain to potential spoofing attacks and phishing campaigns targeting your users or partners. Such weaknesses can seriously harm brand trust and invite legal and compliance risks.
Given the nature and severity of this vulnerability, I hope the bounty reward will reflect its impact accordingly. I truly appreciate your time and responsible approach to security.
Please let me know once the transaction is processed.

vfat.io

TTG Cyber Sure but we are not a web2 project, we don't use email at all, so not critical in this instance.

vfat.io

TTG Cyber That is not a valid address, please check again.

TTG Cyber

vfat.io While I understand you don’t use email in a traditional Web2 sense, DMARC misconfigurations can still pose a reputational risk to any brand with a public-facing domain — especially in the Web3 space, where trust and community perception are everything. Attackers can spoof your domain to phish users, target partners, or impersonate your brand across other platforms. Many Web3 projects have faced damage from such vectors despite not using email actively.

That’s why most security-aware teams treat DMARC and related DNS security settings as part of basic hygiene — even for Web3.

TTG Cyber

vfat.io Thanks again. The address I shared earlier is from my Binance wallet, which accepts Ethereum deposits via ERC20.
If that doesn't work for your payout system, kindly let me know which Ethereum-compatible network or wallet type you prefer — I can provide the appropriate address accordingly.
Looking forward to your confirmation so I can share the correct one.

vfat.io

TTG Cyber: There is a typo in it, it has one digit too many.

TTG Cyber

vfat.io Apologies again — and thank you for your patience. The previous address had a typo.
Here is the correct Ethereum (ERC20) address for the bounty:
0x0bcc9d6a3f971e30eb201a2304883d64dc152162
I appreciate your support, and thank you once again for handling this responsibly.