wiredepth
Run a check

Spoofability verdict for microsoft.com

No - microsoft.com is not practically spoofable.

See the math

Microsoft has deployed the full toolkit of email authentication: DMARC reject-all, SPF hardening with five corporate SPF chains, valid DKIM signing, and MTA-STS enforcement. This is what an enterprise with real security maturity looks like.

  • DMARC policy=reject at 100%: Reject-all DMARC at 100% enforcement means Microsoft's receivers will reject any message claiming to be from microsoft.com that fails DMARC. No fallback to quarantine, no exceptions—this is the strongest stance.
  • SPF hardfail with five include chains: The -all (hardfail) mechanism blocks any IP address not explicitly listed in five Microsoft-owned SPF chains. This prevents unauthorised senders from even being accepted as a fallback.
  • DKIM signing with selector2 detected: DKIM signing allows receivers to cryptographically verify that a message really came from Microsoft infrastructure. Selector2 is actively in rotation; this guards against both wholesale domain spoofing and subtle message tampering.
  • MTA-STS in enforce mode: MTA-STS enforcement requires TLS encryption and certificate verification for all inbound connections. This stops downgrade attacks and MITM impersonation at the transport layer.

What this means practically

An attacker cannot meaningfully spoof microsoft.com. Mail servers that check DMARC will reject spoofed messages before they reach a user's inbox. Even if a user's email system is outdated or misconfigured, DKIM verification will fail, and MTA-STS prevents the attacker from forging a valid connection path. The practical attack surface is nearly zero for this domain.

Bottom line: Microsoft.com is hardened across every layer of email authentication—there is no weak link for an attacker to exploit.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.msft.net include:_spf1-meo.microsoft.com -all

Enforced

DKIM presence

found at 1 selector

inspect →

DKIM key found at selector: selector2.

Enforced

MTA-STS (transport)

mode=enforce

inspect →

MTA-STS in enforce mode. Mail in transit cannot be downgraded by an attacker.

Check another domain