wiredepth
Run a check

Spoofability verdict for hubspot.com

No - hubspot.com is not practically spoofable.

See the math

HubSpot has implemented the email authentication posture that works: DMARC reject policy at 100%, SPF redirect, and multiple DKIM selectors. An attacker cannot realistically spoof mail from hubspot.com because the authentication chain is enforced end-to-end.

  • DMARC p=reject (100%): Policy set to reject all mail that fails DMARC checks, applied to all messages. No exceptions, no partial enforcement. This is the strongest DMARC posture available.
  • SPF redirect to _hspf.hubspot.com: SPF uses redirect to an authoritative subdomain rather than inline SPF rules. This centralises authentication logic and prevents SPF record length exhaustion. The neutral qualifier doesn't weaken the policy because DMARC p=reject handles the enforcement.
  • DKIM: 4 active selectors (s1, s2, google, mandrill): Multiple selectors enable key rotation without breaking signed mail. Both common selectors and service-specific ones (mandrill, google) detected, indicating distributed infrastructure protected by DKIM throughout.
  • MTA-STS: not configured: MTA-STS would add protection against TLS downgrade attacks in transit, but its absence here is not a practical weakness given the strength of upstream authentication (DMARC reject).

What this means practically

An attacker cannot send mail that will be accepted as legitimate hubspot.com mail by any DMARC-enforcing receiver (Gmail, Microsoft 365, most enterprise mail gateways). Mail must pass both SPF and DKIM. Spoofing the SPF check requires DNS control of hubspot.com. Forging DKIM signatures requires possession of the private key for one of the four active selectors. Realistically: this domain is not spoofable without compromising HubSpot's own infrastructure or DNS.

Bottom line: HubSpot has authentication correct: reject policy + multiple DKIM selectors + SPF redirect. No practical spoofing risk.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

?all (neutral)

inspect →

SPF record present but has no terminal mechanism. Behaviour at receivers is unspecified.

v=spf1 redirect=_hspf.hubspot.com

Enforced

DKIM presence

found at 4 selectors

inspect →

DKIM key found at selectors: mandrill, google, s2, s1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain