wiredepth
Run a check

Spoofability verdict for norton.com

Maybe - norton.com is partially protected.

See the math

Norton is a security-focused organisation, so you'd expect tight email controls. They're partway there—but they're using softfail on SPF instead of a hard reject, which is the weak link in an otherwise reasonable setup.

  • DMARC p=quarantine: Tells receivers to isolate mail that fails authentication. This is the responsible middle ground—prevents impersonation reaching inboxes without breaking legitimate multi-sender workflows. Better than p=none, not quite p=reject strictness.
  • SPF ~all (softfail): Softfail means 'this probably isn't us, but I'm not sure.' Attackers can send mail claiming to be norton.com and pass SPF checks. A hard fail (-all) would stop that; a softfail just suggests caution to the receiver, and many receivers ignore it.
  • DKIM enforced (4 selectors): Four active selectors mean Norton has key rotation discipline and can verify genuine outbound mail cryptographically. An attacker needs the private key to forge mail—they can't do it with just a domain name.
  • MTA-STS missing: MTA-STS forces TLS encryption on mail-server connections. Without it, an attacker can downgrade a connection to plaintext and intercept or modify mail in transit. This is a gap for a security vendor.

What this means practically

An attacker can send an email address like [email protected] and pass SPF checks because softfail is permissive. DKIM will catch forged mail only if the attacker doesn't have Norton's private signing keys—and they probably don't. The real risk is a phishing email from a lookalike domain (like norton.co or norton-support.com) or a compromised third-party vendor account. Gmail and Outlook will apply DMARC quarantine to misaligned mail, which helps, but it isn't bulletproof.

Bottom line: Norton is security-conscious but not hardened: swap SPF softfail for hardfail, add MTA-STS, and they'd be in strong shape.

What we measured

Partial

DMARC policy

p=quarantine

inspect →

DMARC at p=quarantine. Spoofed mail goes to spam but is not rejected.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:norton.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all

Enforced

DKIM presence

found at 4 selectors

inspect →

DKIM key found at selectors: s1, selector2, selector1, s2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Move DMARC to p=reject pct=100 once your rua reports show no legitimate-sender failures.
  2. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  3. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain