wiredepth
Run a check

Spoofability verdict for nvidia.com

No - nvidia.com is not practically spoofable.

See the math

Nvidia has built a robust DMARC rejection policy that leaves almost no room for an attacker to impersonate nvidia.com convincingly. This is the gold standard: strong enough that legitimate mail servers can still authenticate, but tight enough to block spoofed traffic at the receiver.

  • DMARC policy=reject: Nvidia enforces rejection on authentication failure. Receivers will discard mail that fails both SPF and DKIM checks, or where alignment fails. This is the hardest DMARC stance.
  • SPF softfail (~all): The softfail is technically weaker than a hardfail (-all), but the complex SPF record (via vali.email include) suggests Nvidia is using a third-party validator to manage sender lists dynamically. In practice, legitimate mail passes; spoofed mail usually fails SPF outright.
  • DKIM enforced at 7 selectors: Nvidia signs with multiple DKIM selectors (google, mandrill, k2, s1, selector1, selector2, s2), covering both internal mail systems and third-party senders (Mandrill, Google). An attacker would need to forge signatures across these selectors—a very high bar.
  • MTA-STS missing: MTA-STS enforces TLS-encrypted mail transit to prevent interception and downgrade attacks. Nvidia doesn't publish an MTA-STS policy, so receiving servers can still fall back to unencrypted SMTP. This is a minor gap in an otherwise strong posture.

What this means practically

An attacker spoofing [email protected] would need to either forge a DKIM signature across multiple selectors (extremely difficult; would require stealing Nvidia's private keys) or send mail that passes SPF validation (which requires network-level access or compromise of an approved sender). In practice, unsigned or DKIM-forged mail bounces outright at major receivers (Gmail, Microsoft 365, etc.) due to the reject policy. MTA-STS is missing, so in-transit interception remains theoretically possible—though Nvidia's technical audience makes this less practical.

Bottom line: Nvidia has implemented email authentication at the level of a security-conscious technology company: DMARC reject + multi-selector DKIM makes spoofing effectively impossible without access to their infrastructure.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all

Enforced

DKIM presence

found at 7 selectors

inspect →

DKIM key found at selectors: google, k2, mandrill, s1, selector1, selector2, s2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain