wiredepth
Run a check

Spoofability verdict for ebay.com

No - ebay.com is not practically spoofable.

See the math

eBay has locked down its email domain with an enforced DMARC reject policy—this is the gold standard for email authentication and means the company takes spoofing seriously.

  • DMARC p=reject at 100%: All mail from ebay.com that fails authentication is rejected by receivers. This is the strongest posture available and blocks the vast majority of spoofing attempts.
  • SPF with softfail (~all): SPF includes three eBay-managed IP ranges but uses softfail rather than hardfail. This allows mail from unauthorized IPs through to receivers, but DMARC reject policy catches failures before they land in inboxes.
  • DKIM at 6 active selectors: eBay signs mail with multiple DKIM keys (mandrill, k1, dkim, google, s2, s1), adding signature-based authentication that works independently of SPF and makes forgery much harder.
  • MTA-STS not deployed: MTA-STS prevents downgrade attacks during SMTP handshake. Its absence is a minor gap but doesn't undermine the strong DMARC + DKIM foundation already in place.

What this means practically

An attacker cannot realistically send mail that arrives in recipient inboxes as coming from ebay.com. Forged eBay messages will fail DKIM and SPF checks, triggering the DMARC reject policy—Gmail, Outlook, and other major receivers will discard or heavily quarantine them. The only practical attack surface is phishing targeting users with lookalike domains (ebay-security.net, etc.), which is a user education problem, not an email authentication one.

Bottom line: eBay's reject-at-100% DMARC with multiple DKIM selectors makes spoofing ebay.com effectively impossible; this is how a retail brand should secure its domain.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:c._spf.ebay.com include:p._spf.ebay.com include:p2._spf.ebay.com ~all

Enforced

DKIM presence

found at 6 selectors

inspect →

DKIM key found at selectors: google, k1, s2, s1, mandrill, dkim.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain