wiredepth
Run a check

Spoofability verdict for costco.com

No - costco.com is not practically spoofable.

See the math

Costco has built a tight email authentication posture. DMARC is set to reject, SPF enforces a hardfail, and DKIM is properly deployed—this is how you stop spoofing.

  • DMARC p=reject (enforced): Any email claiming to be from costco.com that fails authentication is flat-out rejected by compliant receivers. This is the strongest policy available and stops attackers cold.
  • SPF -all hardfail (enforced): Only servers listed in the SPF chain (including the has.pphosted.com infrastructure) can send mail from costco.com. Anything else bounces. No gray area.
  • DKIM: 4 selectors found (mandrill, google, s1, s2): Multiple signing keys reduce the window for key compromise and show mature email operations. Receivers can verify the cryptographic signature on every message.
  • MTA-STS: missing: This signal protects against downgrade attacks on the SMTP connection itself—a niche threat. Its absence doesn't weaken the three defenses above, but adding it would harden the channel further.

What this means practically

An attacker cannot realistically impersonate costco.com. Email claiming to be from Costco will fail DMARC and SPF checks at the receiver, causing Gmail, Microsoft 365, Yahoo, and enterprise systems to reject or spam-folder it. A spoofed message can still be crafted and sent, but it won't reach inboxes—the attacker would need to compromise Costco's own infrastructure or one of their authorized senders (Mandrill, Google) to bypass these controls.

Bottom line: Costco has deployed the three core email authentication standards correctly and at full strength—DMARC reject, SPF hardfail, and DKIM signing—making spoofing impractical for any attacker without inside access.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com -all

Enforced

DKIM presence

found at 4 selectors

inspect →

DKIM key found at selectors: google, mandrill, s2, s1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain