wiredepth
Run a check

Spoofability verdict for laposte.fr

Yes - laposte.fr is spoofable today.

See the math

La Poste, France's national postal operator, has the infrastructure in place to reject spoofed email—but hasn't turned it on. The mismatch between a strong SPF baseline and a permissive DMARC policy creates a window where attackers can impersonate the brand.

  • DMARC policy=none: No enforcement of authentication failures. Even when SPF or DKIM fails, receivers get no instruction to reject or quarantine the message. This is the critical gap.
  • SPF with -all hardfail: Explicitly rejects any mail server not in the authorized list (includes Zendesk, internal mail systems, and partner networks). This is correctly configured and enforced.
  • DKIM selector2 found: A signing key exists and is discoverable, but without DMARC enforcement, a message failing DKIM validation won't be rejected—only flagged for the receiver to ignore.
  • MTA-STS missing: No policy to enforce encrypted inbound connections. Attackers can intercept mail in transit or downgrade to unencrypted channels without triggering a delivery failure.

What this means practically

An attacker can send email that appears to come from laposte.fr by spoofing the From header. Most major email providers (Gmail, Outlook, Yahoo) will deliver these messages to inboxes or spam folders because La Poste's DMARC policy tells them "do nothing" on failure. The SPF and DKIM infrastructure exist—they're just not wired into a rejection policy. Additionally, without MTA-STS, an attacker positioned on the network can intercept mail intended for La Poste's mail servers entirely.

Bottom line: La Poste has built the technical foundation for email security but left the front door unlocked by setting DMARC to p=none; activating p=reject would immediately close this spoofing vector.

What we measured

Open

DMARC policy

p=none

inspect →

DMARC at p=none. Receivers are told NOT to act on auth failures; spoofed mail will not be blocked.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:_spfstd_sccc.laposte.fr include:_spfmm_sccc.laposte.fr include:_spfal_sccc.laposte.fr include:_spftmp_sccc.laposte.fr  include:mail.zendesk.com mx -all

Enforced

DKIM presence

found at 1 selector

inspect →

DKIM key found at selector: selector2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish a DMARC record. Start at p=none with a rua= report destination to gather data, then progress to p=quarantine and p=reject.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain