Companies like Coinbase, Yahoo,Google,Facebook and even hackerone implemented a strict email security policy (combining SPF, DKIM, and DMARC) but I don't see taht from block.io , You should apply strict SMPT policy to stop spoofed email sending from your domain. POC is attached.
Code to Exploit:
<?php $to = "VICTIM@example.com"; $subject = "Password Change"; $txt = "Change your password by visiting here - [VIRUS LINK HERE]l"; $headers = "From: firstname.lastname@example.org"; mail($to,$subject,$txt,$headers); ?>
You should do the fix (see the fix below) To prevent misunderstanding and to protect your users.
-all to prevent fake email.
v=spf1 include:spf.mandrillapp.com ?all
It should be
v=spf1 include:spf.mandrillapp.com -all
POC IS ATTACHED HERE: http://gyazo.com/1f753428abff659b3f83df625dc380bc
SPF record lookup and validation for: Block.io SPF records are published in DNS as TXT records. The TXT records found for your domain are: v=spf1 include:spf.mandrillapp.com ?all Checking to see if there is a valid SPF record. Found v=spf1 record for Block.io: v=spf1 include:spf.mandrillapp.com ?all <---------- this is your mistake