Mailsploit: is there a problem with DMARC?

If you are looking for a yes or no answer, the answer is: NO! You can now relax and go grab a cup of coffee. But if you want to learn more, carry on reading.

Rather sensationalist articles recently posted in a number of media outlets claim DMARC can be bypassed due to shortcomings in the way that email clients handle the ‘from’ header. However, after examining the evidence given we’d argue that it’s not a DMARC shortcoming, rather a matter of poor implementation by email clients.

If you compare this to the recent password bug with the Mac High Sierra OS I don’t think we saw anyone claiming that this meant the very concept of passwords is flawed. Instead, people inherently understood that Apple had simply made a mistake when they implemented an update.

So what’s Mailsploit?

Mailsploit is a bug with some email clients where an attacker can trick a naively implemented email header parser into presenting the wrong information to a user.

The method used is not new and exploits like character encoding, cross-site-scripting (XSS) and null byte injections have all long been known by the software community and basic security checks in the development process of those email clients could have prevented this problem.

How does the Mailsploit exploit work?

The attacker encodes the ‘from’ header using base64 or quoted-printable to include the spoofed email address, i.e.:

From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@mailsploit.com

The right way of parsing the string above would be to decode ‘cG90dXNAd2hpdGVob3VzZS5nb3Y=’ which results in ‘potus@whitehouse.gov’ and ’00’ which is a null byte (represented as ), resulting in the following email address:

potus@whitehouse.govpotus@whitehouse.gov@mailsploit.com

This email address is not valid per its RFC and should be presented as an error.

What actually happens is that some email clients will stop at the null byte and ignore all the rest, incorrectly displaying the email as ‘potus@whitehouse.gov.’ Other clients will parse the whole thing but stop at the first string that looks like a valid email address, again ‘potus@whitehouse.gov.’

Is DMARC the one to blame?

No, if the parser was correctly implemented the email would have failed to deliver. As per the list published by Sabri Haddouche enterprise providers like Google or Microsoft Office 365 are not affected by it (and affected clients have either fixed it or are in the process of fixing it) so this is no more than another software bug.

The DMARC protocol is innocent. It still remains effective. If you’d like to check your current SPF, DKIM, and DMARC setup quickly and easily, use our free investigate tool.

check email setup

PUBLISHED BY

Randal Pinto

6 Dec. 2017

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Certificates

TLS certificates are changing: What you need to know

Red Sift

Executive summary: TLS certificates are about to get significantly shorter-lived. Starting 15 March 2026, newly issued public-trust certificates will max out at 200 days—and just three years later, that lifespan drops to 47 days. Backed by Google, Apple, and Mozilla, this shift aims to make the web safer through fresher data, faster failover, and…

Read more
DKIM

The hidden threat: How misconfigured DKIM enables replay attacks

Red Sift

Email authentication isn’t just an IT concern. It protects your brand and customers. A single misstep can let attackers spoof your domain, send phishing emails, and destroy customer trust. One of the most dangerous methods? The DKIM replay attack. In this post, we’ll break down how undersigned DKIM keys and related misconfigurations open your…

Read more
BIMI

Why DMARC and BIMI are a business priority

Jack Lilley

Email threats aren’t slowing down, and neither should your authentication strategy. In our recent joint webinar with Marigold, “From DMARC to BIMI: Navigating the New Email Authorization Landscape,” we broke down what today’s evolving standards mean for both security and marketing teams—and how to take action now with our free Red Sift Investigate tool.…

Read more
ASM

Zoom stops zooming: Why active monitoring is essential

Billy McDiarmid

​On April 16, 2025, Zoom experienced a significant global outage that disrupted video conferencing services and access to its website for thousands of users, as well as their corporate email for all their employees. It was quickly identified as a domain name registration status problem. Despite being a critical name for Zoom, somehow, the…

Read more