wiredepth
Run a check

Spoofability verdict for klarna.com

No - klarna.com is not practically spoofable.

See the math

Klarna runs a tightly configured email authentication stack, with DMARC reject policy and SPF hardfail both in place. This is the textbook posture for a financial services provider that takes spoofing seriously.

  • DMARC policy=reject: Reject policy with aligned SPF and DKIM (adkim=r, aspf=r) means email servers discard unsigned mail claiming to be from klarna.com. This is the strongest DMARC enforcement and stops most impersonation attempts cold.
  • SPF hardfail (-all): The trailing -all hard-rejects any mail from unlisted IPs. Klarna explicitly whitelists SendGrid, Google, Atlassian, PostHog, and four static IPs—anything else fails immediately.
  • DKIM with 3 signing selectors: Found s2, s1, and google selectors across 22 probed names. Multiple selectors suggest key rotation discipline and multi-vendor signing coverage (Google services + in-house).
  • MTA-STS missing: MTA-STS would prevent on-path attackers from downgrading TLS during delivery, but its absence is a minor gap given the already-strong DMARC+SPF posture.

What this means practically

An attacker cannot realistically spoof klarna.com in a way that reaches inboxes at scale. DMARC reject + SPF hardfail means: - Mail servers drop unsigned impersonation attempts outright. - Even if an attacker owns a SendGrid, Google, or Atlassian account, they cannot sign mail that both aligns with klarna.com's DMARC policy and passes Klarna's own DKIM. - Targeted spear-phishing that tricks an individual into accepting an unsigned certificate might still work, but mass-scale abuse is blocked. This is a financial institution behaving like one.

Bottom line: Klarna has closed the spoofing door with the strongest authentication mechanisms available; impersonation would require compromising an authorized sender or endpoint, not just guessing a mail server.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:sendgrid.net include:_spf.google.com include:_spf.atlassian.net include:spf-0098b101.pphosted.com ip4:18.159.145.12 ip4:18.156.64.82 ip4:54.77.2.88 ip4:54.72.124.243 -all

Enforced

DKIM presence

found at 3 selectors

inspect →

DKIM key found at selectors: google, s1, s2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain