Spoofability verdict for canada.ca
Yes - canada.ca is spoofable today.
See the math
The Canada Revenue Agency's primary email domain implements the classic trap: strong sender authentication that nobody is checking. DMARC policy=none means spoofed CRA emails will be delivered, not blocked.
- DMARC policy=none: DMARC is set to monitor-only mode (p=none). Even though SPF and DKIM are properly configured, receivers are not required to enforce authentication—they only log what would have failed. A spoofed email claiming to be from the CRA will pass DMARC policy.
- SPF hardfail (-all): SPF is correctly configured with -all (reject), specifying only legitimate senders (SSC-SPC and Outlook). This would block spoofing—if anyone was checking it.
- DKIM at selector1: DKIM signature is in place with at least one active selector, providing cryptographic proof of message origin when verified. Again, only effective if the receiver actually enforces DMARC policy.
- MTA-STS missing: No MTA-STS policy is published. This means senders cannot verify that the receiving mail server supports TLS, leaving the connection vulnerable to downgrade attacks.
What this means practically
An attacker can send an email claiming to be from cra-arc.gc.ca, and most major receivers (Gmail, Outlook, corporate mail systems) will deliver it to inboxes rather than reject or quarantine it. The SPF and DKIM records are correct, but DMARC p=none is a signal that says "check these if you want—but I'm not requiring it." In practice, many users will see an email that looks official and trust it. This is especially dangerous for the CRA because phishing impersonations of tax agencies are a known attack vector.
Context for CRA (Canada)
Canadian government agencies often operate under complex shared infrastructure (SSC-SPC) and may have legitimate reasons for slow DMARC rollout. However, the CRA is a high-value target for impersonation (tax refunds, payment collection, identity theft). A government financial agency with p=none is a meaningful spoofability risk, not a university-style operational constraint.
Bottom line: The CRA has built the foundations correctly (SPF and DKIM) but left the door open by refusing to enforce them—upgrade to DMARC p=reject to actually stop spoofing.
What we measured
Open
DMARC policy
p=none
DMARC at p=none. Receivers are told NOT to act on auth failures; spoofed mail will not be blocked.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:emrs._spf.ssc-spc.gc.ca include:spf.protection.outlook.com -all
Enforced
DKIM presence
found at 1 selector
DKIM key found at selector: selector1.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish a DMARC record. Start at p=none with a rua= report destination to gather data, then progress to p=quarantine and p=reject.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.