wiredepth
Run a check

Spoofability verdict for ikea.com

No - ikea.com is not practically spoofable.

See the math

IKEA has built a strong email authentication posture. With DMARC reject enforcement, SPF hardfail protection, and working DKIM signers, this brand is not practically spoofable—at least not at scale.

  • DMARC policy=reject: DMARC is set to reject unauthenticated mail claiming to be from ikea.com. This tells receivers to discard messages that fail SPF and DKIM, stopping spoofed mail at the gateway before it lands in inboxes.
  • SPF hardfail (-all): SPF includes IKEA's official IP blocks and Outlook (for Microsoft 365 relay), then hardfails everything else. Any mail server trying to fake IKEA's domain from an unauthorised IP will be rejected.
  • DKIM: 2 selectors found: IKEA signs outbound mail with at least two DKIM key pairs, meaning even if one key rotates, mail remains cryptographically verified. Attackers cannot forge signatures without the private keys.
  • MTA-STS in testing mode: MTA-STS tells receiving mail servers to encrypt the connection to IKEA's mail infrastructure. Testing mode means it's not yet mandatory, but the signal is present and working toward enforcement.

What this means practically

An attacker cannot realistically send mail from ikea.com to most modern receivers. Gmail, Outlook, and other major ISPs will reject messages that fail DMARC reject, and there is no way to pass SPF or DKIM without control of IKEA's infrastructure or cryptographic keys. A small fraction of legacy mail systems might accept DMARC-failing mail, but it will be marked clearly as unauthenticated and will not appear to come from IKEA.

Bottom line: IKEA has closed the spoofing door with reject-mode DMARC and hardfail SPF; attackers would need to compromise IKEA's own mail keys or infrastructure to impersonate the brand successfully.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:_spf.ikea.com include:spf.protection.outlook.com -all

Enforced

DKIM presence

found at 2 selectors

inspect →

DKIM key found at selectors: selector1, selector2.

Partial

MTA-STS (transport)

mode=testing

inspect →

MTA-STS in testing mode. Failures are reported, not enforced.

Check another domain