wiredepth
Run a check

Spoofability verdict for sap.com

No - sap.com is not practically spoofable.

See the math

SAP has implemented the full defensive stack: a hard DMARC reject policy, SPF redirect for domain protection, and active DKIM signing across multiple selectors. Email spoofing attempts against sap.com will fail at scale.

  • DMARC policy=reject; pct=100; adkim=s; aspf=s: SAP rejects all messages failing DMARC checks with no exceptions (pct=100). Strict DKIM and SPF alignment requirements mean forged mail won't authenticate regardless of which control the attacker targets.
  • SPF redirect=_spf.sap.com: SPF uses a redirect to an external record, centralizing IP approval. While the qualifier is neutral (no explicit -all hardfail), the redirect architecture prevents casual spoofing from random IPs.
  • DKIM at 2 selectors (selector1, selector2): Active DKIM signing on multiple selectors ensures outbound mail carries cryptographic proof of origin. An attacker cannot forge this signature without the private key.
  • MTA-STS: mode=missing: MTA-STS is absent, so SAP doesn't enforce encrypted transit between mail servers. This doesn't enable spoofing but leaves a gap in defense-in-depth for in-flight interception.

What this means practically

An attacker trying to send email as sap.com will encounter rejection at the receiving end in nearly all cases. Gmail, Microsoft 365, and other major mailbox providers apply DMARC checks and will hard-reject messages claiming the sap.com domain if they fail DKIM or SPF authentication. The attacker would need SAP's DKIM private keys or IP whitelist to succeed, which is not a spoofing attack—that's a compromise.

Bottom line: SAP has closed the door: reject-at-scale DMARC policy backed by SPF and DKIM make spoofing sap.com mail impractical for any attacker without credentials.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

?all (neutral)

inspect →

SPF record present but has no terminal mechanism. Behaviour at receivers is unspecified.

v=spf1 redirect=_spf.sap.com

Enforced

DKIM presence

found at 2 selectors

inspect →

DKIM key found at selectors: selector1, selector2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain