Spoofability verdict for google.com
Maybe - google.com is partially protected.
See the math
Google has DMARC set to reject, which is the gold standard, but the lack of published DKIM selectors and the softfail SPF create loopholes that attackers can exploit—even at one of the world's largest technology companies.
- DMARC policy=reject: This is the strongest DMARC stance available. Receivers are instructed to reject unauthenticated mail. Combined with proper authentication, this stops most spoofing at the boundary.
- SPF softfail (~all): A softfail is a warning, not a block. Mail that fails SPF still gets delivered; receivers treat it as a hint rather than a hard rejection. This leaves room for attackers to send mail that looks plausibly from google.com to receivers that don't strictly enforce SPF.
- DKIM no published selectors found: We probed 22 common DKIM selector names and found none published for google.com. Without DKIM signatures, Google mail can't be cryptographically proven authentic, gutting a key part of the authentication chain.
- MTA-STS enforce mode: MTA-STS enforces encrypted, authenticated SMTP connections. This stops man-in-the-middle attacks on the transport layer and protects the integrity of mail in flight.
What this means practically
An attacker can send email appearing to come from google.com and pass SPF checks at many receivers (since softfail isn't a rejection). Without published DKIM keys, recipients can't verify the message signature cryptographically. If a receiver's system or user is configured to trust SPF alone—common in organisations running older email stacks—the forged mail lands in the inbox. Modern systems like Gmail and M365 may catch this via reputation and AI, but smaller companies and stricter filtering rules could miss it. The DMARC reject policy only works if SPF or DKIM passes first; the softfail and missing DKIM selectors mean neither is guaranteed to happen.
Bottom line: Google's reject-level DMARC is solid, but the softfail SPF and absent DKIM selectors create a genuine spoofability gap—a reminder that even tech giants can have half-finished authentication hygiene.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 include:_spf.google.com ~all
Open
DKIM presence
no key found at common selectors
No DKIM key found at any of the 22 common selectors. (Your domain may publish a DKIM key at a less-common selector - this is a heuristic, not exhaustive.)
Enforced
MTA-STS (transport)
mode=enforce
MTA-STS in enforce mode. Mail in transit cannot be downgraded by an attacker.
How to make it un-spoofable
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Confirm DKIM is configured. We didn't find a key at the common selectors; if you do publish DKIM, the selector you use isn't in our probe list - that's fine, but worth verifying with your mail provider.