wiredepth
Run a check

Spoofability verdict for fedex.com

No - fedex.com is not practically spoofable.

See the math

FedEx has implemented a textbook email authentication posture: their DMARC policy rejects unauthenticated mail at the domain level, backed by a strict SPF hardfail and multiple DKIM signers. There's almost no room for an attacker to spoof fedex.com successfully.

  • DMARC policy=reject at 100%: Any mail claiming to be from fedex.com that fails DMARC authentication will be rejected outright by receiving servers. This is the strongest policy available and covers 100% of traffic, with no exceptions or sampling.
  • SPF -all (hardfail): SPF is configured with a hard fail (-all), meaning mail from IP addresses not explicitly listed in FedEx's SPF record will be rejected. The record includes a specific PPhosted service and FedEx's own mail server, but allows no unknown senders.
  • DKIM at 5 selectors: FedEx uses multiple DKIM selector pairs (k1, k2, s1, s2, mandrill), which means legitimate mail from different FedEx systems and service providers can each sign with cryptographic proof of authorisation. An attacker cannot forge these signatures.
  • MTA-STS missing: MTA-STS would encrypt and authenticate the connection between mail servers. While FedEx doesn't publish it, this omission is not a practical gap here because DMARC+SPF+DKIM already prevents spoofing before that transport layer matters.

What this means practically

An attacker cannot practically spoof fedex.com mail. Recipients' mail servers will reject forged messages before they arrive in inboxes, because the message will fail both DMARC and SPF checks. Even if someone could guess a valid DKIM private key (essentially impossible), the other two mechanisms would still stop the attack. Gmail, Outlook, and enterprise systems will all block unauthenticated fedex.com mail.

Bottom line: FedEx's authentication posture is enforced at all three critical layers; spoofing their domain is not a realistic threat.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com a:smtp-out-colo.dmz.fedex.com  -all

Enforced

DKIM presence

found at 5 selectors

inspect →

DKIM key found at selectors: k2, mandrill, s1, s2, k1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain