wiredepth
Run a check

Spoofability verdict for crowdstrike.com

No - crowdstrike.com is not practically spoofable.

See the math

CrowdStrike has deployed the full stack of email authentication controls, and they work in concert to make spoofing their domain genuinely difficult.

  • DMARC policy=reject: DMARC is set to reject—the strongest enforcement mode. This tells receiving mail servers to drop any email claiming to be from crowdstrike.com that fails DMARC checks. No soft-landing; no second chances.
  • SPF ~all (softfail): SPF uses a softfail rather than hardfail, which technically allows unauthenticated mail through—but in practice, DMARC reject makes this distinction moot. The SPF record itself is solid, delegating to a third-party provider (has.pphosted.com) for mail source validation.
  • DKIM default + google selectors: Two active DKIM signing selectors found, meaning CrowdStrike signs mail with cryptographic keys that receivers can verify. Even if a forger spoofs the From header, they can't sign the message without those private keys.
  • MTA-STS mode=enforce: MTA-STS enforces encrypted, authenticated connections to CrowdStrike's mail servers. This prevents an attacker from intercepting mail in transit or downgrading to unencrypted channels—a different but related threat to spoofing.

What this means practically

An attacker cannot practically spoof crowdstrike.com. If they send mail claiming to be from that domain, DMARC reject will cause the receiving mail server (Gmail, Office 365, corporate mail gateways) to drop or quarantine it before it reaches the inbox. The attacker would need to either compromise CrowdStrike's own mail infrastructure, steal their DKIM private keys, or somehow become an authorized sender on their SPF record—all much harder than spoofing a domain with weak or missing controls.

Bottom line: CrowdStrike has done the work: strong DMARC enforcement, valid DKIM signings, and MTA-STS adoption leave no easy path for spoofing.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com ~all

Enforced

DKIM presence

found at 2 selectors

inspect →

DKIM key found at selectors: default, google.

Enforced

MTA-STS (transport)

mode=enforce

inspect →

MTA-STS in enforce mode. Mail in transit cannot be downgraded by an attacker.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.

Check another domain