wiredepth
Run a check

Spoofability verdict for carrefour.com

Yes - carrefour.com is spoofable today.

See the math

Carrefour has the classic European retail miscalibration: strong foundations in SPF and DKIM, but a wide-open DMARC policy that makes all of it toothless. The signals don't work together, so they don't protect the brand.

  • DMARC policy=none: Carrefour publishes DMARC at p=none, which tells receivers 'I'm publishing these signals but don't enforce them.' Receivers are free to deliver spoofed mail that passes SPF or DKIM—or even mail that fails both.
  • SPF -all (hardfail): SPF is correctly configured with a hardfail at the end, meaning only mail from Carrefour's MX servers and registered includes should pass. Without DMARC enforcement, this stops nothing at the receiver end.
  • DKIM at 5 active selectors: Five active DKIM selectors (k2, google, s1, s2, default) indicate mature signing infrastructure. Any properly signed Carrefour mail would authenticate. Again, without DMARC enforcement, this is a credential that forgers can ignore.
  • MTA-STS missing: No MTA-STS policy to enforce encrypted delivery to Carrefour's mail servers. An attacker can downgrade the connection or intercept mail in transit without triggering warnings.

What this means practically

An attacker can send mail spoofing carrefour.com to any inbox by simply using a public mail relay and setting the From header to the brand. SPF will fail—but DMARC's p=none allows receivers to ignore that failure. Gmail, Outlook, and others will often accept and deliver the message if it looks plausible, though many will tag it as suspicious. Carrefour's real mail (which passes SPF and signs with DKIM) will look identical from the receiver's perspective to a forged message—there's no enforced check to distinguish them.

Bottom line: Carrefour has built strong SPF and DKIM infrastructure but chosen not to enforce it with DMARC, leaving the brand wide open to spoofing despite doing 80% of the work correctly.

What we measured

Open

DMARC policy

p=none

inspect →

DMARC at p=none. Receivers are told NOT to act on auth failures; spoofed mail will not be blocked.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 mx include:_spf.carrefour.com -all

Enforced

DKIM presence

found at 5 selectors

inspect →

DKIM key found at selectors: default, google, s1, k2, s2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish a DMARC record. Start at p=none with a rua= report destination to gather data, then progress to p=quarantine and p=reject.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain