Spoofability verdict for orange.com
Yes - orange.com is spoofable today.
See the math
Orange has strong email routing guards but failed to activate the authentication policies that turn those guards into actual spoofing prevention. The result is a classic mismatch: tight SPF but no enforcement mechanism.
- SPF with -all (hardfail): SPF list is comprehensive (7 dedicated IP ranges: spffed-ip, spffed-mm, _spf1, _spf2, spfe, spff, spf6a) and terminates with -all, which should reject non-matching senders. This is the foundation of a strong posture.
- DMARC policy=none: DMARC policy is set to 'monitor only' with no enforcement. This means receiving servers are told to accept failures—SPF and DKIM failures don't block mail. An attacker can spoof orange.com even if SPF rejects them, because DMARC won't enforce the rejection.
- DKIM: no selectors found: Probing 22 common selectors found zero DKIM keys. Without DKIM, there's no domain-based signature verification. Combined with p=none, this leaves no secondary authentication path.
- MTA-STS: missing: MTA-STS would enforce TLS transport to Orange's mail servers and authenticate them via certificate. Its absence is less critical than DMARC/DKIM failures, but it removes a layer of in-transit protection.
What this means practically
An attacker can craft email from [email protected] and send it to any inbox. SPF will correctly reject it at Orange's border, but DMARC's p=none policy tells receiving servers (Gmail, Outlook, etc.) to accept it anyway and deliver it, often to the inbox. In practice, these spoofed emails land reliably in user inboxes because major receivers follow DMARC policy verbatim. Customers and partners of Orange are at risk of credential phishing and brand impersonation.
Bottom line: Orange built the infrastructure to reject spoofs but deliberately chose not to enforce it; switching DMARC from p=none to p=reject would immediately close this gap.
What we measured
Open
DMARC policy
p=none
DMARC at p=none. Receivers are told NOT to act on auth failures; spoofed mail will not be blocked.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:spffed-ip.orange.com include:spffed-mm.orange.com include:_spf1.orange.com include:_spf2.orange.com include:spfe.orange.com include:spff.orange.com include:spf6a.orange.com -all
Open
DKIM presence
no key found at common selectors
No DKIM key found at any of the 22 common selectors. (Your domain may publish a DKIM key at a less-common selector - this is a heuristic, not exhaustive.)
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish a DMARC record. Start at p=none with a rua= report destination to gather data, then progress to p=quarantine and p=reject.
- Confirm DKIM is configured. We didn't find a key at the common selectors; if you do publish DKIM, the selector you use isn't in our probe list - that's fine, but worth verifying with your mail provider.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.