wiredepth
Run a check

Spoofability verdict for avis.com

No - avis.com is not practically spoofable.

See the math

Avis.com runs a tight email authentication posture that makes spoofing a hard problem for an attacker. The combination of reject-level DMARC and hardfail SPF means unauthenticated mail is turned away by most major receivers.

  • DMARC policy=reject (enforced): DMARC is set to reject unauthenticated mail. Any email claiming to be from avis.com that fails SPF or DKIM authentication will be discarded by receivers that respect DMARC, not delivered to spam. This is the strongest posture.
  • SPF -all hardfail (enforced): SPF is configured with a hard fail (-all) that authorises mail only from specific Agari-managed DNS records. This prevents attackers from sending from arbitrary infrastructure claiming to be avis.com.
  • DKIM at selector1 (found): DKIM signing is active and discoverable. At least one selector is in use and can be probed by receivers to validate the cryptographic signature on Avis mail.
  • MTA-STS missing: MTA-STS is not deployed. This only matters for in-transit encryption negotiation and does not affect spoofability; the absence is a minor gap for defence-in-depth but not the main story here.

What this means practically

An attacker cannot realistically impersonate avis.com in the inbox of Gmail, Microsoft 365, or other major receivers. SPF hardfail + DMARC reject means that any spoofed mail will either be rejected outright or heavily penalised in filtering. Avis has also hired Agari (a managed email security vendor) to run their SPF and DKIM infrastructure, reducing the risk of misconfiguration. Phishing emails claiming to be from Avis are possible via other vectors (compromised accounts, look-alike domains), but forging the avis.com domain itself is off the table.

Bottom line: Avis.com has implemented the strongest baseline email security controls available; spoofing the domain is not a practical attack path for most threat actors.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 exists:%{i}._i.%{d}._d.espf.agari-dns.net include:%{d}.5c.spf-protect.agari-dns.net -all

Enforced

DKIM presence

found at 1 selector

inspect →

DKIM key found at selector: selector1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain