wiredepth
Run a check

Spoofability verdict for paypal.com

No - paypal.com is not practically spoofable.

See the math

PayPal has deployed serious email authentication controls across the board. This is the posture you should expect from any large financial institution: hard rejections with DMARC, cryptographic signing, and a clear refusal to accept forgery.

  • DMARC policy=reject: Any email failing DMARC checks is actively rejected at the receiving end—no fallback to spam folder, no second chances. This is the strongest enforcement available.
  • SPF with ~all (softfail): SPF is correctly configured with multiple legitimate sending paths (PayPal's own infrastructure, SendGrid for transactional mail, Pardot for marketing). The softfail qualifier (~all) rather than hardfail (-all) is conservative but doesn't weaken the DMARC reject policy that sits above it.
  • DKIM at 2 selectors: PayPal rotates signing keys (s1, s2), meaning stolen or compromised keys can be revoked while mail in transit stays valid. Every message is cryptographically signed and verifiable.
  • MTA-STS missing: MTA-STS enforces encrypted transport between mail servers. Its absence is a minor gap, but DMARC rejection means spoofed mail doesn't reach inboxes regardless of transport encryption status.

What this means practically

An attacker cannot realistically impersonate paypal.com. DMARC reject means any forged message (from a different IP, with a fake signature, or without one at all) is refused before it reaches a user's inbox. Even if an attacker somehow bypasses SPF or DKIM, the hard DMARC policy stops the attack. PayPal's multi-path SPF setup also makes it difficult to guess legitimate sending infrastructure.

Bottom line: PayPal's authentication posture is well-hardened for a financial institution; spoofing paypal.com in bulk is not a practical threat.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:pp._spf.paypal.com include:3ph1._spf.paypal.com include:3ph2._spf.paypal.com include:3ph3._spf.paypal.com include:3ph4._spf.paypal.com include:sendgrid.net include:aspmx.pardot.com ~all

Enforced

DKIM presence

found at 2 selectors

inspect →

DKIM key found at selectors: s1, s2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain