wiredepth
Run a check

Spoofability verdict for lidl.com

Yes - lidl.com is spoofable today.

See the math

Lidl has the infrastructure to stop email spoofing—SPF hardfail and DKIM are both in place—but DMARC policy=none means those signals aren't actually enforced. This is the classic "all the pieces, no assembly" problem.

  • DMARC policy=none: DMARC set to none means authentication failures are reported but not rejected. Gmail, Outlook, and others treat messages that fail SPF/DKIM checks as suspicious rather than blocked, leaving room for spoofing.
  • SPF hardfail (-all): SPF is correctly configured with a hard fail. Unauthorised senders are flagged as invalid—but only if the receiver acts on it (which they may not without DMARC p=reject).
  • DKIM (selector1, google): DKIM signatures are in place and probed selectors are present. Messages signed by Lidl can be cryptographically verified—again, only if the receiver enforces it.
  • MTA-STS missing: MTA-STS enforces encrypted delivery between mail servers. Its absence is a minor gap but does not directly enable spoofing of Lidl's domain.

What this means practically

An attacker can send email forged as [email protected] or any other Lidl sender address. Major mailbox providers (Gmail, Outlook, Yahoo) will flag these as "unsigned" or "failed authentication" in their backend, but most won't reject them outright or visibly warn the recipient. Phishing emails spoofing Lidl will likely land in inboxes or spam folders depending on content and recipient ISP policy. The SPF and DKIM infrastructure exists—Lidl just needs to flip DMARC to p=reject to make it work.

Bottom line: Lidl has built the safeguards but left the door open by setting DMARC to none; a simple policy change to p=reject would close this gap.

What we measured

Open

DMARC policy

p=none

inspect →

DMARC at p=none. Receivers are told NOT to act on auth failures; spoofed mail will not be blocked.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 ip4:46.16.216.56 ip4:46.16.220.56 ip4:62.218.26.131 ip4:62.138.246.52 include:_spfg.mail.schwarz -all

Enforced

DKIM presence

found at 2 selectors

inspect →

DKIM key found at selectors: google, selector1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish a DMARC record. Start at p=none with a rua= report destination to gather data, then progress to p=quarantine and p=reject.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain