Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
December 20, 2022 14:28
September 21, 2023 05:25
December 20, 2022 15:49
December 20, 2022 14:28


Live worker hosted at

UPDATE (Aug 13 2023): Two days after my DEFCON 31 talk, MailChannels silently decided to require a Domain Lockdown Record in order to send emails from Cloudflare Workers meaning this code doesn't work anymore. However, because they just addressed a "symptom" and not the underlying issue (lack of sender idenitity verification) anyone can still signup on their website (80$) and use their "normal" SMTP relay to spoof all of their customer domains 🤷🏻‍♂️

What is this

As of writing, This allows you to spoof emails from any of the +2 Million domains using MailChannels. It also gives you a slightly higher chance of landing a spoofed emails from any domain that doesn't have an SPF & DMARC due to ARC adoption.

It was released at the Defcon 31 talk SpamChannel: Spoofing Emails From 2 Million+ Domains and Virtually Becoming Satan.

Slides for the talk are here

I'm a MailChannels customer, how do I stop people from impersonating my domain?

TL;DR set your Domain Lockdown Record ASAP.

Defcon Talk

Defcon 31 Talk


Below are the demos from my Defcon talk demonstrating email spoofing using this Cloudflare Worker.

This video demonstrates spoofing an email from a domain configured with DMARC + DKIM:

SpamChannel Demo 1

This video demonstrates impersonating Satan (

SpamChannel Demo 2

How to deploy this yourself

  1. Signup and create a free account on Cloudflare (
  2. Clone this repo
  3. Install Wrangler CLI tool (npm i -g wrangler)
  4. Run wrangler login and login to your account
  5. In the root of this repo run wrangler publish


Code was based on @ihsangan's gist.


Spoof emails from any of the +2 Million domains using MailChannels (DEFCON 31 Talk)






No releases published


No packages published