Spoofability verdict for edx.org
Maybe - edx.org is partially protected.
See the math
edX sits in the middle ground that many education platforms land in: a quarantine policy is stronger than `p=none`, but the softfail SPF and missing MTA-STS leave room for a determined attacker to slip through in certain conditions.
- DMARC p=quarantine (relaxed alignment): Quarantine means failed messages land in spam, not inbox, and alignment set to 'r' (relaxed) allows subdomain matches. This is a solid stance—better than p=none—though not the strongest possible posture.
- SPF ~all (softfail): Softfail only advises receivers to be suspicious; it doesn't hard-reject. An attacker spoofing edx.org can still reach inboxes at receivers that treat softfail warnings as optional.
- DKIM enforced (google selector found): DKIM signing with the Google selector present shows message integrity protection is active. Unsigned or spoofed mail fails this check automatically.
- MTA-STS missing: No MTA-STS policy means incoming connections aren't authenticated via certificate pinning. An attacker can intercept inbound mail through a man-in-the-middle (MiTM) attack on the mail server handshake.
What this means practically
An attacker spoofing edx.org will likely be quarantined at Microsoft 365 and Gmail—both respect DMARC quarantine—but could bypass inbox filtering at receivers using older or lenient configurations. The softfail SPF doesn't stop them. A sophisticated attacker could also intercept inbound mail to edx.org by performing a network-level MiTM, since MTA-STS is absent and the connection isn't pinned to a specific certificate.
Context for edX
edX is an education platform handling legitimate multi-sender scenarios (course instructors, partner institutions, third-party integrations). Some complexity in SPF/DKIM scope is expected in this category. That said, the missing MTA-STS and softfail SPF are addressable and would meaningfully improve security posture without disrupting operations.
Bottom line: edX's quarantine policy catches most spoofs, but softfail SPF and missing MTA-STS leave gaps an attacker with moderate resources can exploit.
What we measured
Partial
DMARC policy
p=quarantine
DMARC at p=quarantine. Spoofed mail goes to spam but is not rejected.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 include:_u.edx.org._spf.smart.ondmarc.com ~all
Enforced
DKIM presence
found at 1 selector
DKIM key found at selector: google.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Move DMARC to p=reject pct=100 once your rua reports show no legitimate-sender failures.
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.