Spoofability verdict for mit.edu
Yes - mit.edu is spoofable today.
See the math
This is the classic education sector trap: strong SPF and DKIM infrastructure layered beneath a DMARC policy that refuses to enforce it. MIT has done the hard work of email security plumbing. But left the door unlocked.
- DMARC policy=none: DMARC is in monitor-only mode—it reports violations but does nothing to stop them. Receivers are free to accept forged mail from mit.edu without penalty.
- SPF hardfail (-all): The SPF record properly rejects any server not explicitly authorised to send from mit.edu. Technically sound; just not enforced by DMARC.
- DKIM at 7 selectors: Multiple DKIM signing keys (k1, k2, s1, s2, selector2, google, mandrill) shows mature mail infrastructure with third-party integrations properly signed. An attacker cannot forge these signatures.
- MTA-STS missing: No MTA-STS policy means no enforced TLS requirement for incoming connections. Doesn't enable spoofing directly, but removes a secondary protection layer.
What this means practically
An attacker can send mail from any address at mit.edu ([email protected], [email protected], etc.) to most receivers and it will arrive in inbox, not spam. SPF and DKIM will both fail—but because DMARC is p=none, Gmail, Microsoft, and others will shrug and deliver it anyway. The mail will appear to come from MIT. Staff, students, and external partners are vulnerable to credential harvesting, wire fraud, and impersonation. DKIM-signed emails from known MIT services (those using selectors like mandrill or google) are safe—but unsophisticated forged mail still lands.
Context for MIT
MIT is an education institution, and education domains often legitimately run p=none because of decentralised mail infrastructure across departments and labs. That said, MIT's strong underlying SPF and DKIM posture suggests the institute *could* move to enforcement (p=quarantine or p=reject) without breaking legitimate mail. The lock-in to p=none seems more like deferred maintenance than technical necessity.
Bottom line: MIT has built the right security foundation but chosen not to activate it—a high-profile target with an easily corrected vulnerability.
What we measured
Open
DMARC policy
p=none
DMARC at p=none. Receivers are told NOT to act on auth failures; spoofed mail will not be blocked.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:_s00430413.autospf.email -all
Enforced
DKIM presence
found at 7 selectors
DKIM key found at selectors: google, k1, mandrill, k2, s1, selector2, s2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish a DMARC record. Start at p=none with a rua= report destination to gather data, then progress to p=quarantine and p=reject.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.