wiredepth
Run a check

Spoofability verdict for airbnb.com

No - airbnb.com is not practically spoofable.

See the math

Airbnb has built a textbook email authentication fortress. The combination of enforced DMARC reject policy and SPF hardfail protection means that spoofing emails from airbnb.com is practically impossible—and any attempt will fail loudly at the receiving end.

  • DMARC policy=reject (pct=100): DMARC is set to reject all unauthenticated mail from airbnb.com at 100% volume. Combined with relaxed alignment (adkim=r, aspf=r), legitimate senders have flexibility, but forged mail is blocked outright.
  • SPF hardfail (-all): SPF record ends with -all, which is a hard fail. Only IPs explicitly listed (Airbnb's own ranges and Google's infrastructure) pass; everything else is rejected immediately by receiving mail servers.
  • DKIM (google, k1 selectors): DKIM signatures are in place across at least two selector variations. Even if SPF or DMARC were partially bypassed, DKIM would catch unsigned or incorrectly signed forgeries.
  • MTA-STS (mode=missing): MTA-STS is not deployed. This protocol ensures encrypted delivery to Airbnb's mail servers and prevents downgrade attacks. Not critical for inbound spoofing defence, but a missing upgrade.

What this means practically

An attacker cannot send an email that passes DMARC/SPF checks and appears to come from airbnb.com. Any forgery will be rejected by strict receivers (Gmail, Microsoft 365, corporate gateways) before it reaches an inbox. Phishers targeting Airbnb users would have to register a lookalike domain instead—which requires a different attack vector entirely and is easier to spot.

Bottom line: Airbnb's email authentication posture is strong across all inbound defences; spoofing airbnb.com is not a practical threat.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:spf1.airbnb.com ip6:2c0f:fb50:4864::/56 ip6:2a00:1450:4864::/56 ip6:2800:3f0:4864::/56 ip6:2607:f8b0:4864::/56 ip6:2404:6800:4864::/56 ip6:2001:4860:4864::/56 ip4:87.253.232.0/21 ip4:76.223.176.0/20 ip4:76.223.128.0/19 -all

Enforced

DKIM presence

found at 2 selectors

inspect →

DKIM key found at selectors: google, k1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain