wiredepth
Run a check

Spoofability verdict for lowes.com

No - lowes.com is not practically spoofable.

See the math

Lowe's has done the hard work of email authentication correctly: they've deployed DMARC reject mode and multiple active DKIM selectors, which makes impersonation extremely difficult even though SPF takes a softer line.

  • DMARC policy=reject (enforced): DMARC reject means any email that fails DMARC alignment is rejected outright by receiving mail servers. Lowe's enforced this without carve-outs (pct=unset defaults to 100%), making spoofing in bulk nearly impossible.
  • SPF ~all (softfail): SPF uses softfail rather than hardfail, which means non-authorised senders technically get a 'soft' signal. However, SPF alone doesn't stop spoofing—DMARC reject fills that gap. The vali.email redirect suggests legitimate third-party infrastructure.
  • DKIM at 5+ active selectors: Multiple DKIM selectors (default, selector1, s1, s2, selector2) provide redundancy and make key rotation easier. An attacker would need to compromise multiple private keys to forge signatures.
  • MTA-STS missing: MTA-STS enforces encryption in transit between mail servers. Its absence leaves a small attack surface for downgrade attacks, but DMARC reject is already the primary spoofing defence.

What this means practically

An attacker cannot practically send bulk impersonation emails claiming to be from lowes.com. DMARC reject means Gmail, Outlook, and other major providers will silently reject any incoming email that doesn't cryptographically align with Lowe's own systems. Targeted attacks spoofing legitimate reply-to addresses or third-party services remain theoretically possible but require either compromising Lowe's actual infrastructure or finding loopholes in their third-party sender setup—far harder than bulk spoofing.

Bottom line: Lowe's is effectively unspoofable at scale because DMARC reject + multiple DKIM keys lock down the domain, even though SPF could be stricter.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all

Enforced

DKIM presence

found at 5 selectors

inspect →

DKIM key found at selectors: selector2, default, s2, s1, selector1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain