wiredepth
Run a check

Spoofability verdict for salesforce.com

No - salesforce.com is not practically spoofable.

See the math

Salesforce has built a fortress of email authentication: their DMARC policy sits at reject with 100% enforcement, backed by valid SPF and multiple live DKIM selectors. An attacker cannot realistically send mail that will pass checks on the receiving end.

  • DMARC p=reject at 100%: Any email claiming to be from salesforce.com that fails DMARC alignment is rejected outright—no quarantine, no pass-through. This is the highest enforcement level.
  • SPF with softfail (~all): SPF allows Google and Salesforce's own infrastructure plus an exists mechanism for dynamic checks. The softfail on other sources means strict receivers (Gmail, Office 365, many corporates) will reject or downgrade unauthenticated mail anyway, especially combined with DMARC p=reject.
  • DKIM: 4 live selectors detected: Multiple active DKIM keys (google, mandrill, s2, s1) mean legitimate Salesforce systems can sign their mail cryptographically. Attackers cannot forge these signatures without stealing private keys.
  • MTA-STS: not deployed: MTA-STS would prevent on-path downgrade attacks during TLS negotiation, but its absence here is a minor point given the strong DMARC+SPF+DKIM posture already in place.

What this means practically

An attacker sending mail as salesforce.com will fail SPF, DKIM, or both on the first attempt. When that mail arrives at Gmail, Outlook, or any major mailbox, the DMARC p=reject policy triggers and the message is deleted or hard-bounced. Even if an attacker spoofs the From header in isolation, the authentication checks catch the forgery before it reaches a user's inbox. This vendor has closed off the primary spoofing attack vector.

Bottom line: Salesforce is not spoofable in practice; their DMARC reject policy with 100% enforcement, valid SPF, and live DKIM keys make authenticated forgery prohibitively difficult for attackers.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:_spf.google.com include:_spf.salesforce.com exists:%{i}._spf.corp.salesforce.com ~all

Enforced

DKIM presence

found at 4 selectors

inspect →

DKIM key found at selectors: google, mandrill, s2, s1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain