wiredepth
Run a check

Spoofability verdict for checkpoint.com

No - checkpoint.com is not practically spoofable.

See the math

Check Point is a security vendor, and they've built their email posture accordingly: a strict DMARC reject policy with multiple DKIM selectors creates meaningful friction for anyone trying to impersonate their domain.

  • DMARC policy=reject: Full enforcement (p=reject) tells receivers to outright reject any message failing alignment checks. This is the gold standard and what security vendors should do.
  • SPF ~all (softfail): SPF uses a softfail rather than hardfail, which means non-aligned senders get flagged but not rejected by default. Given the DMARC reject enforcement above, this is a minor inconsistency but doesn't materially weaken the posture.
  • DKIM: 5 selectors found: Multiple active DKIM signing keys (default, s1, s2, selector1, selector2) mean an attacker would need to compromise multiple key pairs or the infrastructure signing them—not a one-key break-in.
  • MTA-STS: missing: MTA-STS enforces TLS in transit but is still relatively niche adoption. Its absence here is unremarkable for most organisations, including security vendors.

What this means practically

An attacker trying to spoof checkpoint.com emails would face hard rejection at most modern receivers (Gmail, Microsoft 365, etc.) because DMARC p=reject will block any message that fails SPF or DKIM alignment. The multiple DKIM selectors mean they can't fake signatures by compromising a single signing key. In practice, spoofed Check Point emails either bounce immediately or land in spam folders that most users never see.

Bottom line: Check Point practices what it preaches: they've implemented strict DMARC enforcement with redundant DKIM coverage, making spoofing their domain hard enough that attackers will find easier targets.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:_spf1.b1723vyl.eu.cp-dmarc.com ~all

Enforced

DKIM presence

found at 5 selectors

inspect →

DKIM key found at selectors: default, s2, s1, selector1, selector2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain