Spoofability verdict for coursera.org
No - coursera.org is not practically spoofable.
See the math
Coursera has built a tight email authentication posture that makes spoofing straightforward messages as them very difficult in practice. Their DMARC, SPF, and DKIM signals all align and enforce, closing most of the common spoofing vectors.
- DMARC p=reject at 100%: Coursera enforces DMARC rejection on all outbound mail (pct=100). Any message claiming to be from coursera.org that fails DMARC authentication will be rejected by receiving mail servers, not delivered or spammed. This is the strongest possible DMARC stance.
- SPF -all (hardfail): SPF is configured with a hard fail (-all), meaning only servers explicitly listed (SendGrid, Google, Amazon SES, Salesforce, and three IP addresses) can send mail from coursera.org. Any unlisted sender will fail SPF checks.
- DKIM at 4 selectors: Coursera signs with at least 4 DKIM selectors (google, k2, s2, s1), meaning their messages carry cryptographic signatures that receiving mail servers can verify. Forged messages won't have valid signatures matching these keys.
- MTA-STS absent: Coursera does not publish MTA-STS policy, so there's no enforcement guaranteeing TLS during mail transit. However, this is a secondary concern—their DMARC, SPF, and DKIM are already very strong.
What this means practically
An attacker cannot reasonably spoof a legitimate Coursera message to a mail server with modern authentication checks. Major providers (Gmail, Microsoft 365, ProtonMail) will reject or severely downrank spoofed mail claiming to be from coursera.org because it will fail SPF, DKIM, or DMARC. The only realistic attack surface is spear-phishing where an attacker crafts a message that looks visually like Coursera but comes from a different domain entirely—a social engineering problem, not an authentication one.
Bottom line: Coursera's authentication setup is robust; spoofing them via email authentication is not a practical vector for attackers.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:sendgrid.net ip4:24.6.102.21 ip4:50.16.53.44 include:_spf.google.com include:amazonses.com include:spf.mtasv.net include:_spf.salesforce.com -all
Enforced
DKIM presence
found at 4 selectors
DKIM key found at selectors: google, k2, s1, s2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.