Spoofability verdict for coinbase.com
No - coinbase.com is not practically spoofable.
See the math
Coinbase has set up email authentication correctly. They enforce DMARC reject policy and back it up with both SPF hardfail and multiple DKIM selectors—the combination you want to see from a financial services company.
- DMARC policy=reject (enforced alignment): DMARC is set to reject unauthorised mail claiming to be from coinbase.com. Both DKIM and SPF alignment are strict (adkim=s, aspf=s), so attackers can't pretend to be Coinbase by signing with a lookalike domain or playing alignment games.
- SPF -all (hardfail): SPF uses a hard fail (-all), meaning only mail from Amazon SES and Google's infrastructure can claim to originate from coinbase.com. This blocks the vast majority of spoofing vectors from random SMTP servers.
- DKIM at 2 selectors (google, mandrill): Coinbase signs mail with DKIM keys across two distinct selectors, making it harder for attackers to forge signatures. We found these across 22 common probes, suggesting proper signing infrastructure.
- MTA-STS missing: MTA-STS would lock down the delivery path from other servers to Coinbase's mail infrastructure, preventing man-in-the-middle interception during SMTP handoff. Its absence is not critical given the strong DMARC/SPF/DKIM posture, but it's a gap for a financial institution.
What this means practically
An attacker cannot realistically send mail that will reach Coinbase users' inboxes while spoofing coinbase.com. Gmail, Outlook, and other major providers will reject or aggressively spam-folder any message that claims to be from Coinbase without valid DKIM or SPF signatures aligned to their strict DMARC policy. The only practical attack vector remaining is social engineering or targeting Coinbase's own upstream mail providers (Amazon SES, Google Workspace), not spoofing the domain itself.
Context for Coinbase
Coinbase is a financial services provider handling user accounts and transactions. The strong DMARC reject stance is appropriate and expected at this risk level. The absence of MTA-STS is a minor miss for a company of this scale and sensitivity.
Bottom line: Coinbase has closed the spoofing door; attackers will need a different angle.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:amazonses.com include:_spf.google.com -all
Enforced
DKIM presence
found at 2 selectors
DKIM key found at selectors: google, mandrill.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.