wiredepth
Run a check

Spoofability verdict for bell.ca

No - bell.ca is not practically spoofable.

See the math

Bell Canada has built strong email authentication defences that make spoofing emails from bell.ca genuinely difficult. The core protection—DMARC with p=reject—is not just in place but actually enforced, which means most email providers will reject forged messages outright.

  • DMARC p=reject (enforced): DMARC is set to reject forged mail; no percentage-based deferral or looser policies. This is the highest enforcement level and tells email receivers to discard mail that fails DMARC checks.
  • SPF softfail (~all): SPF uses ~all (softfail) rather than -all (hardfail), which means non-matching IPs are marked suspicious but not outright rejected. However, softfail combined with p=reject DMARC provides strong real-world protection because DMARC enforces the policy regardless of SPF nuance.
  • DKIM across 4 selectors: Four active DKIM selectors (k2, mandrill, s1, s2) means Bell Canada signs its mail cryptographically. Attackers cannot forge legitimate DKIM signatures without the private keys, adding a second independent authentication layer.
  • MTA-STS missing: MTA-STS is not deployed; this protects against TLS downgrade attacks on the mail transport layer. Its absence doesn't directly enable spoofing, but it is a layering gap that modern senders typically close.

What this means practically

An attacker cannot practically send mail that appears to come from bell.ca and land in a recipient's inbox. Gmail, Outlook, and other mainstream providers will reject forged mail at DMARC check (p=reject). The only plausible attack surface is against organisations with extremely loose DMARC handling, which is rare. Even if an attacker somehow bypassed SPF, DKIM signatures would still be forged and detectable.

Bottom line: Bell Canada's email infrastructure is properly hardened; spoofing bell.ca addresses is not a practical concern.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:spf-esa.bell.ca include:_spf-nhs.bell.ca include:_spf-ext1.bell.ca include:_spf-ext2.bell.ca ~all

Enforced

DKIM presence

found at 4 selectors

inspect →

DKIM key found at selectors: mandrill, s1, k2, s2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain