Spoofability verdict for sendgrid.com
No - sendgrid.com is not practically spoofable.
See the math
SendGrid is a transactional email service provider, so their domain does not typically send user-facing email directly—but their DMARC posture is unambiguous: they're hardened against direct impersonation at their own domain.
- DMARC p=reject at 100%: DMARC policy is set to reject all mail failing alignment (both DKIM and SPF set to strict mode). This applies to 100% of traffic, with no sampling. Direct spoofing of sendgrid.com itself will be rejected by any DMARC-aware receiver.
- SPF ~all (softfail): SPF uses a softfail (~all) rather than hardfail (-all), which means receivers *may* accept mail that fails SPF check. However, the policy lists legitimate SendGrid infrastructure (IP ranges, includes) and works in concert with DMARC p=reject, so SPF failure triggers a DMARC reject.
- DKIM at 2 selectors (s1, s2): Two active DKIM signing selectors detected and enforced. DKIM signatures are cryptographically validated and cannot be forged without the private key. This is a strong per-message authenticity control.
- MTA-STS missing: MTA-STS is not configured. This policy would enforce TLS for inbound connections and prevent downgrade attacks, but its absence does not materially weaken SendGrid's spoofability posture—DMARC and DKIM already block direct impersonation.
What this means practically
An attacker cannot practically impersonate sendgrid.com directly. Email claiming to come from sendgrid.com without valid DKIM+SPF alignment will fail DMARC and be rejected by any receiving system that enforces DMARC (Gmail, Microsoft 365, most enterprise systems). This is exactly what you want for a high-profile infrastructure provider. Note: attackers may still spoof *customer* domains if those customers have weaker authentication setups—but SendGrid's own domain is locked down.
Bottom line: SendGrid has correctly implemented DMARC p=reject at 100% with strict alignment; their domain is not spoofable in practice.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 include:sendgrid.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:stspg-customer.com ip4:167.89.60.95 ip4:50.31.36.205 ~allEnforced
DKIM presence
found at 2 selectors
DKIM key found at selectors: s2, s1.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.