spoofx is a lightweight, high-performance CLI tool built in Go for identifying email spoofing vectors in domains through analysis of SPF and DMARC configurations.
Designed for offensive security workflows — especially for:
- 🔍 Bug bounty recon
- 🔥 Red team domain mapping
- 🧰 Security audits & SPF/DMARC compliance checks
go install github.com/luq0x/spoofx@latestspoofx -d example.comspoofx domains.txtsubfinder -d example.com -silent | spoofx -v| Flag | Description |
|---|---|
-d |
Scan a single domain |
-v |
Enable verbose output |
-h |
Show help / usage |
Note: Flags must come before the domain or file input.
SpoofX now includes an HTML tool to generate Markdown vulnerability reports from your findings.
📁 Available at: report/spoofx.html
Just open the file in your browser and fill in:
- Target domain
- Spoofed email
- Inbox used
- Date
It will auto-generate a professional Markdown report for platforms like HackerOne, Bugcrowd, or internal security docs.
- 🕵️ Fetches SPF & DMARC DNS records
- 🧠 Classifies SPF strictness:
strict,soft,neutral, orunknown - 🚨 Flags weak or missing policies
- ✍️ Provides optional HTML report generation
- ⚡ Fast and lightweight (written in Go)
- 🧩 Works in recon chains (
cat,dnsx,httpx) - 🧰 CLI-based, no dependencies
- 🧾 Markdown report generation included
- 🎯 Perfect for Bug Bounty, Red Teaming, and Pentest Ops
Current release: v1.1.1
- 👨💻 @luq0x
Pull requests, suggestions, or PRs to improve detection and automation are always welcome.