wiredepth
Run a check

Spoofability verdict for purolator.com

No - purolator.com is not practically spoofable.

See the math

Purolator has built a straightforward, effective anti-spoofing posture: hard rejection of unauthenticated mail at the DMARC layer, backed up by SPF hardfail and multiple DKIM selectors in active use.

  • DMARC policy=reject: Any mail claiming to come from purolator.com but failing SPF *or* DKIM authentication is rejected outright by receivers. This is the strongest DMARC posture and leaves no room for spoofed mail to land in inboxes.
  • SPF hardfail (-all): Purolator's SPF record explicitly rejects any IP not in their authorised sender list. The -all mechanism enforces a hardstop; mail from any other source is rejected, not softly deferred.
  • DKIM at 5 selectors (selector1, s2, s1, k1, selector2): Multiple active DKIM selectors indicate a mature key-rotation practice and diverse sending infrastructure. An attacker cannot spoof DKIM signatures without the private keys.
  • MTA-STS missing: MTA-STS prevents downgrade attacks on the SMTP connection itself. Its absence doesn't weaken mail authentication, but adding it would harden delivery against man-in-the-middle interception of mail in transit.

What this means practically

An attacker cannot practically send mail from purolator.com. Gmail, Outlook, and other major receivers will reject any message claiming the Purolator domain unless it passes both SPF (authorised IP) and DKIM (valid signature). Spoofed logistics alerts or shipping notifications claiming to be from Purolator will not reach user inboxes at scale.

Bottom line: Purolator has deployed the standard defensive playbook correctly and enforced it at policy level—spoofing their domain is not a practical attack vector.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com -all

Enforced

DKIM presence

found at 5 selectors

inspect →

DKIM key found at selectors: k1, s1, s2, selector1, selector2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain