I am a security researcher and I founded this vulnerability in your website.
I just sent a forged email to my email address that appears to originate
from  [email protected]
I was able to do this because of the following DMARC record:
 
DMARC record lookup and validation for: codeby.net
 
" DMARC Quarantine/Reject policy not enabled "
 
How To Reproduce(POC-ATTACHED IMAGE):-
1.Go To- mxtoolbox.com/DMARC.aspx
2.Enter the Website.CLICK GO.
3.You Will See the fault(DMARC Quarantine/Reject policy not enabled)
 
Fix:
1)Publish DMARC Record.
2)Enable DMARC Quarantine/Reject policy
 
For more information you can use this blog
(<https://sendgrid.com/blog/what-is-dmarc/>).
 
<?php
$to = "[email protected]";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "<From:[email protected]>
";
mail($to,$subject,$txt,$headers);
 
?>
 
Reference :
<https://www.knownhost.com/wiki/email/troubleshooting/setting-up_spf-dkim-dmarc_records> 
 
Let me know if you need me to send another forged email, or if have any
other questions.