wiredepth
Run a check

Spoofability verdict for amazon.com

Maybe - amazon.com is partially protected.

See the math

Amazon has the backbone of a strong email security posture but missing one critical piece—and that gap creates a genuine attack surface despite the "maybe" verdict.

  • DMARC p=quarantine at 100%: DMARC quarantine with 100% coverage means most receivers will automatically isolate mail that fails authentication. This is a hard enforcement lever and substantially raises the bar for spoofing.
  • SPF with -all (hardfail): SPF hard-fail rejects any mail from IP addresses not explicitly authorized by Amazon's three include statements. This blocks casual spoofing from random infrastructure.
  • DKIM: no selectors found: Despite probing 22 common selector names, we found zero DKIM signing keys. This means mail from amazon.com lacks DKIM cryptographic signatures that DMARC can check—so DMARC quarantine decisions lean entirely on SPF alone.
  • MTA-STS: missing: MTA-STS protects the connection between mail servers and is a modern defense; its absence means an attacker with network position could downgrade or intercept Amazon's outbound mail in transit.

What this means practically

An attacker cannot easily forge mail *from* amazon.com from a random server (SPF hard-fail stops that). However, an attacker *with network access* (compromised ISP, rogue WiFi, or BGP hijack) can send mail that passes SPF by spoofing one of Amazon's authorized IP ranges—and DMARC quarantine will respect the SPF pass because there is no DKIM signature to contradict it. In practice, Gmail and Outlook will quarantine suspicious-looking mail anyway via heuristics, but you're relying on that goodwill, not cryptography.

Bottom line: Amazon's DMARC and SPF enforcement protects against casual spoofing, but the complete absence of DKIM and MTA-STS leaves them vulnerable to sophisticated network-level attackers and means they're betting on receiver heuristics rather than cryptographic proof.

What we measured

Partial

DMARC policy

p=quarantine

inspect →

DMARC at p=quarantine. Spoofed mail goes to spam but is not rejected.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all

Open

DKIM presence

no key found at common selectors

inspect →

No DKIM key found at any of the 22 common selectors. (Your domain may publish a DKIM key at a less-common selector - this is a heuristic, not exhaustive.)

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Move DMARC to p=reject pct=100 once your rua reports show no legitimate-sender failures.
  2. Confirm DKIM is configured. We didn't find a key at the common selectors; if you do publish DKIM, the selector you use isn't in our probe list - that's fine, but worth verifying with your mail provider.
  3. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain