wiredepth
Run a check

Spoofability verdict for oracle.com

No - oracle.com is not practically spoofable.

See the math

Oracle has deployed a hardened email authentication posture with a DMARC reject policy and enforced DKIM validation—the combination makes oracle.com emails difficult to spoof at scale.

  • DMARC policy=reject: Hard reject on failed authentication. Any email claiming to be from oracle.com that fails SPF or DKIM alignment will be rejected outright by compliant receivers. This is the strictest DMARC policy available.
  • SPF with ~all (softfail): Includes five Oracle-controlled SPF blocks (spf_s, spf_r, spf_c, spf_x, spf_z) plus stspg-customer.com, covering most legitimate senders. Softfail (~all) is gentler than hardfail, but combined with enforced DKIM and DMARC reject, it doesn't weaken the overall posture.
  • DKIM at 4 selectors (mandrill, s1, dkim, s2): Multiple signing selectors enforced across the domain. Mandrill suggests use of transactional mail infrastructure; s1, dkim, s2 cover internal and third-party signer rotation. All found selectors were enforced.
  • MTA-STS missing: No MTA-STS policy to enforce TLS in transit or require certificate validation. This doesn't break email security, but it leaves a small window for downgrade attacks and MitM attempts during SMTP handshake.

What this means practically

An attacker would struggle to send mail that passes as oracle.com. Even if they forge an address, Gmail, Microsoft 365, and other major receivers will reject or heavily quarantine the message because it will fail DMARC alignment (no valid SPF or DKIM signature from an oracle.com authority). Bulk spoofing oracle.com is not practical; targeted phishing attempts would require compromising Oracle's own mail infrastructure or those of trusted senders in the SPF include list.

Bottom line: Oracle.com combines a DMARC reject policy with enforced DKIM and a well-populated SPF chain—a textbook hard-to-spoof configuration that makes it one of the more secure large corporate domains.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:spf_s.oracle.com include:spf_r.oracle.com include:spf_c.oraclecloud.com include:spf_x.oracle.com include:spf_z.oracle.com include:stspg-customer.com ~all

Enforced

DKIM presence

found at 4 selectors

inspect →

DKIM key found at selectors: mandrill, s1, s2, dkim.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain