Spoofability verdict for klaviyo.com
No - klaviyo.com is not practically spoofable.
See the math
Klaviyo's email authentication is genuinely strong: they've deployed DMARC with reject policy and DKIM signing, which creates real friction for attackers. This is what you want to see from a software-as-a-service company that handles customer marketing on behalf of their users.
- DMARC p=reject (enforced): Klaviyo rejects unauthenticated mail claiming to be from klaviyo.com, the hardest possible policy. Receivers trust this and will discard spoofed messages at the gateway, not even land them in spam.
- DKIM at 4 selectors (enforced): Multiple DKIM signing keys (google, k1, s2, s1) found means Klaviyo has the cryptographic infrastructure to sign outbound mail. An attacker would need to steal a private key to forge valid signatures.
- SPF ~all (softfail): SPF includes legitimate senders (Greenhouse, Google, Zendesk, Freshservice, Salesforce) and two IP blocks, but the softfail (~all) doesn't block non-matching IPs—DMARC policy overrides this, so the softfail doesn't matter in practice.
- MTA-STS missing: MTA-STS isn't present, but this only protects against man-in-the-middle attacks on the SMTP connection itself, not email spoofing. Its absence doesn't weaken the picture here.
What this means practically
An attacker cannot forge a realistic email from klaviyo.com without Klaviyo's DKIM private keys. Even if they tried to send unauthenticated mail, Gmail, Outlook, and other major receivers would reject it outright because of the DMARC reject policy. The only practical attack surface is compromising Klaviyo's infrastructure itself or launching a narrow phishing attack that impersonates a Klaviyo user's *own* marketing domain (which Klaviyo customers control separately).
Bottom line: Klaviyo has deployed email authentication correctly and comprehensively—spoofing their domain is not a realistic threat.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 include:mg-spf.greenhouse.io include:_spf.google.com include:mail.zendesk.com include:emailus.freshservice.com include:_spf.salesforce.com ip4:4.7.16.128/26 ip4:38.108.186.0/24 ~all
Enforced
DKIM presence
found at 4 selectors
DKIM key found at selectors: google, k1, s1, s2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.