Spoofability verdict for samsung.com
Yes - samsung.com is spoofable today.
See the math
Samsung's email posture sits in the most dangerous category: they've built some of the foundations (SPF, DKIM) but haven't glued them together with enforcement. DMARC policy=none means the company is essentially asking receivers to ignore alignment failures—a choice that leaves spoofing wide open.
- DMARC policy=none: DMARC policy=none is a non-policy. It instructs receivers to accept mail even when SPF or DKIM fails to align with the From domain. This defeats the entire purpose of authentication infrastructure.
- SPF softfail (~all): SPF's softfail mechanism says 'preferred not to send' rather than 'reject.' This is monitoring-grade, not enforcement. Many receivers treat ~all identically to no SPF at all, especially when paired with DMARC p=none.
- DKIM at k2 selector: Samsung does publish a DKIM key (k2 selector found). DKIM can prove a message was sent by Samsung's infrastructure. However, without DMARC enforcement, receivers have no policy-backed reason to act on alignment failures.
- MTA-STS missing: MTA-STS would prevent attackers from downgrading encrypted connections to samsung.com. Its absence leaves the mail path vulnerable to interception and forgery during transport.
What this means practically
An attacker can forge samsung.com in the From line and send to any inbox. If they send through Samsung's actual mail server (via compromised credentials or open relay), DKIM will validate—but DMARC p=none tells Gmail, Outlook, and others to deliver it anyway. If they send from their own server, SPF softfail won't stop it, and again DMARC p=none provides no barrier. Receivers will see a legitimate-looking Samsung email with no obvious red flags. The only friction is that some enterprise filters may flag it as suspicious, but many smaller organizations and consumer mail providers will accept it.
Bottom line: Samsung has built the blocks but refused to stack them; DMARC policy=none nullifies the entire system and leaves the door wide open to spoofing.
What we measured
Open
DMARC policy
p=none
DMARC at p=none. Receivers are told NOT to act on auth failures; spoofed mail will not be blocked.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 include:_spf.samsung.com ~all
Enforced
DKIM presence
found at 1 selector
DKIM key found at selector: k2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish a DMARC record. Start at p=none with a rua= report destination to gather data, then progress to p=quarantine and p=reject.
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.