wiredepth
Run a check

Spoofability verdict for adobe.com

No - adobe.com is not practically spoofable.

See the math

Adobe has built one of the strongest email authentication postures in the industry. Their combination of hard-fail SPF, strict DMARC reject policy, and multiple DKIM keys creates a nearly impenetrable spoofing barrier.

  • DMARC p=reject at 100%: This is the gold standard. Every message claiming to be from adobe.com that fails DMARC alignment is rejected outright at the receiver. No soft landing, no p=none gradual rollout—full enforcement.
  • SPF -all (hardfail): Only mail servers listed in Adobe's SPF record can send legitimate mail from adobe.com. The -all mechanism drops anything else immediately. The record itself uses sophisticated validation (via Agari and IntAcct integrations) to catch spoofed sender IPs.
  • DKIM: 7 selectors found: Multiple DKIM signing keys mean Adobe signs mail across different systems (k1, s1, default, selector2, google, mandrill, s2). An attacker would need to forge signatures across all of them—practically impossible without the private keys.
  • MTA-STS absent: Adobe doesn't publish MTA-STS, which would enforce TLS-only transit to their mail servers. This is a minor gap—SPF and DMARC already stop spoofing at the sending stage, and TLS enforcement is mainly about in-transit security, not impersonation prevention.

What this means practically

An attacker cannot realistically spoof adobe.com. Even if they craft a message with perfect headers, it will fail SPF (wrong IP), DKIM (wrong signature key), or both. Gmail, Microsoft 365, and other major mailboxes will reject or heavily deprioritise such messages. The only realistic attack vector is compromising an authorised Adobe mail server or an authorised third party (like Mandrill)—which is a breach, not a spoofing vulnerability.

Bottom line: Adobe's authentication is genuinely strong; spoofing adobe.com in someone's inbox is not a practical threat.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 exists:%{i}._i.%{d}._d.espf.agari.com include:%{d}.55.spf-protect.agari.com include:_spf.intacct.com -all

Enforced

DKIM presence

found at 7 selectors

inspect →

DKIM key found at selectors: default, mandrill, google, k1, s1, s2, selector2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain