Spoofability verdict for auth0.com
Maybe - auth0.com is partially protected.
See the math
Auth0 is a security platform but its own email infrastructure is a study in complexity without enforcement. The signals are there—but enforcement is inconsistent and one critical layer is missing entirely.
- SPF -all (hardfail): SPF is configured with a strict -all (reject) policy, meaning only explicitly authorised senders (Mandrill, Amazon SES, Intacct, Marketo, Salesforce, and dozens of IP blocks) can send mail from auth0.com. This prevents basic IP spoofing by unauthenticated servers.
- DKIM (4 selectors: google, s2, mandrill, s1): DKIM signatures are present across multiple selectors, allowing receivers to cryptographically verify that messages genuinely came from Auth0's infrastructure. This catches tampering and is enforced across the domain.
- DMARC policy=quarantine at 100%: DMARC quarantine (rather than reject) is less strict than it could be, but Auth0 applies it to 100% of traffic. However, adkim and aspf are unset, meaning the alignment requirements are not strict—messages can pass even if SPF or DKIM alignment is loose.
- MTA-STS mode=none: MTA-STS enforces secure TLS connections between mail servers. Setting it to 'none' means Auth0 is not enforcing encrypted, authenticated connections—leaving the transport layer vulnerable to downgrade attacks or interception.
What this means practically
An attacker cannot easily impersonate auth0.com from an unauthenticated server (SPF hardfail stops that). However, if an attacker compromises or spoofs one of Auth0's many authorised senders (Salesforce, Mandrill, Amazon SES, etc.), the looser DMARC alignment rules may allow the fake message to pass DMARC validation. Additionally, an attacker can attempt a TLS downgrade or interception attack during mail transport because MTA-STS enforcement is disabled. Gmail and Outlook will still deliver these messages in most cases, though strict DMARC quarantine may push borderline cases to spam.
Context for Auth0
Auth0 is a security-focused platform and should be held to a higher standard. The complexity here—dozens of authorised senders—is legitimate for a service that integrates with many third-party systems, but the failure to enforce MTA-STS and align DMARC strictly is a miss for an organisation in the trust and identity business.
Bottom line: Auth0's sender authentication is solid for basic spoofing, but the lack of MTA-STS enforcement and loose DMARC alignment rules leave room for a sophisticated attacker to slip through if they can compromise or mimic one of the many authorised senders.
What we measured
Partial
DMARC policy
p=quarantine
DMARC at p=quarantine. Spoofed mail goes to spam but is not rejected.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:spf.mandrillapp.com include:amazonses.com include:_spf.intacct.com include:mktomail.com ip4:74.125.0.0/16 ip4:209.85.128.0/17 ip6:2001:4860:4864::/56 ip6:2404:6800:4864::/56 ip6:2607:f8b0:4864::/56 ip6:2800:3f0:4864::/56 ip6:2a00:1450:4864::/56 ip6:2c0f:fb50:4864::/56 exists:%{i}._spf.mta.salesforce.com ip4:205.220.176.21 ip4:205.220.164.21 ip4:168.245.48.84 ip4:168.245.73.252 ip4:50.31.57.204 ip4:198.21.5.209 ip4:167.89.21.169 ip4:167.89.14.31 ip4:167.89.126.180 ip4:167.89.110.192 ip4:208.185.229.0/24 ip4:208.185.235.0/24 ip4:148.59.108.0/23 ip4:148.59.106.0/23 ip4:159.183.193.109 ip4:159.183.213.105 ip4:159.183.213.107 ip4:159.183.214.96 ip4:159.183.213.204 ip4:159.183.200.101 ip4:149.72.233.170 ip4:149.72.90.103 ip4:192.254.124.136 ip4:198.37.159.181 ip4:167.89.51.134 ip4:192.174.90.242 ip4:159.183.191.229 -allEnforced
DKIM presence
found at 4 selectors
DKIM key found at selectors: google, mandrill, s2, s1.
Open
MTA-STS (transport)
mode=none
MTA-STS in mode=none (effectively disabled).
How to make it un-spoofable
- Move DMARC to p=reject pct=100 once your rua reports show no legitimate-sender failures.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.