wiredepth
Run a check

Spoofability verdict for plaid.com

No - plaid.com is not practically spoofable.

See the math

Plaid has built a genuinely strong email authentication posture, and it shows in their refusal to accept unauthenticated mail claiming to come from their domain.

  • DMARC p=reject (enforced): Plaid requires all mail claiming plaid.com to be cryptographically authenticated (DKIM or SPF). Mail that fails is rejected outright, not quarantined or allowed through—this is the gold standard.
  • SPF softfail (~all): Plaid's SPF record lists nine authorised senders (Google, AWS SES, Marketo, Zendesk, and others) but uses softfail instead of hardfail. This softens the SPF verdict; DMARC still protects via DKIM, but SPF alone won't reject.
  • DKIM at 2 selectors (google, k1): DKIM signing keys were found at two distinct selectors. Multiple selectors support key rotation. The enforced strictness means unsigned mail is rejected by policy.
  • MTA-STS missing: Plaid does not publish an MTA-STS policy. This means a network attacker can downgrade TLS on inbound mail or perform MX hijacking—though DMARC rejection still stops spoofing on arrival.

What this means practically

An attacker cannot send plaid.com mail that will be accepted by a standards-compliant receiver. Mail servers will reject it at the DMARC stage because it fails authentication. Even if an attacker compromises one of Plaid's nine authorised sending partners (Google Workspace, Salesforce, Zendesk, etc.), the DMARC policy still holds: mail must carry valid DKIM or SPF. A network-level attacker could theoretically intercept mail in transit (MTA-STS is missing), but that attack is far more difficult and detectable than spoofing.

Bottom line: Plaid has made spoofing their domain technically infeasible for practical attackers; add MTA-STS to close the last gap.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:_spf.google.com include:amazonses.com include:mktomail.com include:mail.zendesk.com include:stspg-customer.com include:_spf.qualtrics.com include:servers.mcsv.net include:_spf.salesforce.com ~all

Enforced

DKIM presence

found at 2 selectors

inspect →

DKIM key found at selectors: google, k1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain