wiredepth
Run a check

Spoofability verdict for mailchimp.com

No - mailchimp.com is not practically spoofable.

See the math

Mailchimp has built a strong fortress around its own sending domain with DMARC reject policy, even though it's primarily a platform that sends *on behalf of* other organizations.

  • DMARC p=reject (enforced): Any email purporting to come from mailchimp.com is rejected outright by receiving servers. This is the strongest possible posture and effectively eliminates direct domain spoofing.
  • SPF ~all (softfail): SPF lists legitimate Mailchimp IP ranges plus third-party includes (Google, NetSuite, Intuit, Qualtrics), but softfail (~all) means non-conforming mail gets accepted—it doesn't block. The DMARC reject policy renders this softness irrelevant for this domain.
  • DKIM (4 selectors found): DKIM signing is active across multiple selectors (google, k1, mandrill, k2), meaning mail signed with these keys can be cryptographically verified. Enforced strictness confirms proper key rotation and hygiene.
  • MTA-STS missing: No MTA-STS policy means transport security in transit is not explicitly enforced—but for a high-volume mail service, this is a minor concern given the strong DMARC/DKIM layer.

What this means practically

An attacker cannot send mail claiming to be from mailchimp.com and have it accepted by any DMARC-aware receiver (the vast majority now). SPF or DKIM misalignment will trigger the reject policy. The only lever available is compromise of Mailchimp's own sending infrastructure or legitimate keys—which is a different threat model entirely (account takeover, not spoofing).

Bottom line: Mailchimp.com itself is not spoofable; the real risk for users is credential compromise of their own Mailchimp accounts.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 ip4:205.201.128.0/20 ip4:198.2.128.0/18 ip4:148.105.0.0/16 ip4:129.145.74.12 include:_spf.google.com include:mailsenders.netsuite.com include:_spf2.intuit.com include:_spf.qualtrics.com ip4:199.33.145.1 ip4:199.33.145.32 ip4:35.176.132.251 ip4:52.60.115.116 ~all

Enforced

DKIM presence

found at 4 selectors

inspect →

DKIM key found at selectors: google, k1, k2, mandrill.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain