wiredepth
Run a check

Spoofability verdict for berkeley.edu

No - berkeley.edu is not practically spoofable.

See the math

Berkeley has implemented a strong DMARC reject policy with enforced DKIM signing, making it very difficult for an attacker to successfully impersonate the university at scale.

  • DMARC policy=reject at 100%: Any mail that fails DMARC authentication is rejected by receiving servers. This is the hardest DMARC stance and means spoofed Berkeley mail will be blocked, not quarantined or rejected softly.
  • SPF softfail (~all): The policy allows unlisted senders through but marks them suspicious. SPF alone isn't enough to stop spoofing, but combined with DMARC reject, it raises the bar significantly for attackers.
  • DKIM at 6 selectors: Berkeley signs outbound mail with multiple DKIM keys (k1, k2, google, mail, s1, s2). An attacker would need to forge the private key, which is cryptographically infeasible in practice.
  • MTA-STS missing: MTA-STS enforces encrypted connections to mail servers. Its absence doesn't weaken spoofing defences, but it does leave Berkeley vulnerable to transit attacks if an attacker can intercept SMTP traffic.

What this means practically

An attacker cannot realistically send mail that will arrive as berkeley.edu at scale. DMARC reject + DKIM enforcement means spoofed mail is caught by receiving mail systems before users see it. A targeted attacker could attempt to compromise Berkeley's own infrastructure or social-engineer a compromised third-party sender in the SPF include chain (e.g., Google Workspace, Qualtrics, Mailjet), but generic spoofing—the kind used in phishing campaigns—will fail.

Bottom line: Berkeley's DMARC-reject posture is exemplary for a large university; spoofing the domain is not a practical attack vector.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:_spf.berkeley.edu include:_spf2.berkeley.edu include:_spf.google.com include:_spf.qualtrics.com include:servers.mcsv.net include:spf.mailjet.com a:c.spf.service-now.com ~all

Enforced

DKIM presence

found at 6 selectors

inspect →

DKIM key found at selectors: google, k1, k2, mail, s2, s1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain