wiredepth
Run a check

Spoofability verdict for etsy.com

No - etsy.com is not practically spoofable.

See the math

Etsy has built a strong email authentication posture that makes spoofing practically difficult. DMARC policy=reject paired with SPF hardfail coverage creates a high bar for attackers.

  • DMARC policy=reject: Rejects email that fails DMARC checks outright. No soft failures, no exceptions. This is the strongest possible DMARC stance and blocks unauthenticated mail.
  • SPF hardfail (-all): SPF record ends with -all, meaning any server not explicitly listed in the record is rejected. Etsy lists 13+ authorised IP ranges and includes Google, Amazon SES, and other legitimate senders, covering their scale.
  • DKIM at 4 selectors: Found k1, google, s1, and s2 selectors. Multiple selectors provide key rotation flexibility and reduce impact if a single key is compromised.
  • MTA-STS mode=none: No MTA-STS policy enforced. This signal doesn't affect spoofing directly—it's about transport encryption—but represents a small gap in their security envelope.

What this means practically

An attacker cannot realistically send mail that will pass both SPF and DMARC checks and arrive in a recipient's inbox at scale. Gmail, Outlook, and other major receivers respect the reject policy and will quarantine or drop spoofed mail. A targeted spoof might succeed against a misconfigured or legacy mail system, but modern receivers will treat it as inauthentic.

Bottom line: Etsy's email authentication is done correctly—DMARC reject + SPF hardfail = a well-defended domain that is not practically spoofable at scale.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 ip4:66.3.159.0/24 ip4:192.147.0.0/24 ip4:173.46.67.72/29 ip4:192.147.1.0/24 ip4:38.106.64.0/24 ip4:38.76.1.0/24 ip4:38.76.2.0/24 ip4:162.220.28.32/27 ip4:162.220.28.64/28 ip4:208.74.204.0/22 ip4:46.19.168.0/23 include:servers.mcsv.net include:mail.zendesk.com include:amazonses.com include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com a:web.q4press.com include:cvent-planner.com include:mail.clinchtalent.com include:spf.redpoints.com -all

Enforced

DKIM presence

found at 4 selectors

inspect →

DKIM key found at selectors: k1, google, s2, s1.

Open

MTA-STS (transport)

mode=none

inspect →

MTA-STS in mode=none (effectively disabled).

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain