wiredepth
Run a check

Spoofability verdict for kraken.com

No - kraken.com is not practically spoofable.

See the math

Kraken has assembled a genuinely strong email authentication posture—not perfect, but sufficient to make spoofing their domain in the real world difficult and risky for an attacker.

  • DMARC p=reject at 100%: Kraken enforces strict DMARC rejection policy at 100% of mail volume. Any message claiming to be from kraken.com that fails alignment will be rejected outright by receiving mail servers, not quarantined or spam-foldered.
  • SPF hardfail (-all): SPF is configured with a hard fail, meaning any IP not explicitly authorised (Google, Zendesk, Mailgun) will fail SPF checks. This blocks the most common spoofing vector: an attacker sending from their own mail server claiming to be Kraken.
  • DKIM with Google selector: DKIM signing is detected and active. Even if SPF were somehow bypassed, the DKIM signature would need to be forged—requiring the attacker to compromise Kraken's private signing keys, which is computationally infeasible.
  • MTA-STS not present: MTA-STS enforces encrypted delivery to Kraken's mail servers. Its absence means an attacker could in theory perform a downgrade attack (STARTTLS stripping), but only if they already control the network path—a much harder threat than simple spoofing.

What this means practically

An attacker cannot realistically send a mail that both claims to be from kraken.com and arrives in a user's inbox. SPF hardfail stops spoofing from external servers immediately. Even if an attacker somehow obtained internal network access to bypass SPF, DMARC p=reject will cause receiving mail servers to reject the message before it reaches users. The only remaining vector is compromising Kraken's actual mail infrastructure or private DKIM keys—a much higher bar than typical phishing.

Bottom line: Kraken.com is not practically spoofable; their authentication stack is enforced at every layer and leaves no easy path for an attacker.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:_spf.google.com include:mail.zendesk.com include:mailgun.org -all

Enforced

DKIM presence

found at 1 selector

inspect →

DKIM key found at selector: google.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain