wiredepth
Run a check

Spoofability verdict for bestbuy.com

No - bestbuy.com is not practically spoofable.

See the math

Best Buy has built a genuinely strong anti-spoofing posture with a hard DMARC reject policy. This is the configuration that actually stops attacks—not just slows them down.

  • DMARC policy=reject: DMARC reject means receivers drop email that fails authentication and claims to be from bestbuy.com. This is the strongest policy available and stops most spoofing at the receiver end.
  • SPF softfail (~all): The SPF record permits mail from multiple IP ranges (Best Buy's own ranges plus Microsoft and third-party marketing hosts) but uses softfail rather than hardfail. Softfail is weaker than -all, but combined with DMARC reject, it provides a safety net.
  • DKIM selector2 found: Best Buy is cryptographically signing outbound mail using at least one active DKIM selector. Receivers can verify that a message genuinely came from Best Buy's infrastructure, independent of IP reputation.
  • MTA-STS missing: Best Buy is not using MTA-STS to enforce TLS on incoming mail from other servers. This leaves a window for downgrade attacks on the transport layer, though DMARC+DKIM still protect message integrity.

What this means practically

An attacker cannot realistically spoof bestbuy.com in a way that lands in a recipient's inbox. If they send mail claiming to be from bestbuy.com, it will either fail DMARC validation (no valid DKIM signature + wrong SPF IP) or hit MTA-STS issues. Gmail, Outlook, and other major receivers all respect DMARC reject. The only practical attack surface is credential compromise—stealing or reusing legitimate marketing credentials—which is a separate problem.

Bottom line: Best Buy's DMARC reject + DKIM + SPF softfail combination is textbook email security; MTA-STS would be a nice-to-have but doesn't change the verdict.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 ip4:198.22.123.0/24 ip4:168.94.230.0/24 ip4:198.22.122.4 ip4:198.22.122.6 include:spf.protection.outlook.com include:spf-002a6b01.pphosted.com include:spf-007f1401.pphosted.com ~all

Enforced

DKIM presence

found at 1 selector

inspect →

DKIM key found at selector: selector2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain