Email spoofing with lack SPF and/or DMARC records

Email spoofing with lack SPF and/or DMARC records which are more common nowadays (including ‘Sony’, in this case ‘Education’ or other sites). It’s known that email spoofing is a really cool thing that for Social Engineering attacks, and it can be forwarded by some techniques. Anyway let’s get into topic.
Let’s suppose we took”@example.edu.eu” as an example. We go to lookup sites such as ‘mxtoolbox.com’.

Image 1,2:

Looking for DMARC and SPF analyze. Domain-based Message Authentication, Reporting and Conformance (DMARC) defines a process for discovering the appropriate response to receiving an email that fails to authenticate using SPF (unauthorized email server). If there’re no records, we move into another stage (it can has records sometimes, and it can be still vulnerable i’ll write about it).

Image 1

Image 2

Image 3:

After we verify them, we go to fake email sites and type fake mail from discovered mail that verified (@example.edu.eu). We fullfill the boxes and then send the mail!

Image 4:

After a while, i get that mail from attacker and i get caught by attacker( It is highlighted by P3-P4 severity and depends on programs and situations.