Spoofability verdict for sephora.com
No - sephora.com is not practically spoofable.
See the math
Sephora has built a genuinely strong email authentication posture. DMARC policy=reject is the gold standard—it means they've chosen to refuse mail that fails authentication checks, rather than just flag or monitor it.
- DMARC policy=reject: Enforced rejection of unauthenticated mail. Any message claiming to be from sephora.com that fails DMARC alignment will be outright rejected by receiving mail servers. This is the strongest possible DMARC stance.
- SPF with -all (hardfail): SPF hardfail rule means unauthorised sending servers are explicitly rejected. Sephora publishes five distinct include statements (spf1–spf5.sephora.com), suggesting they manage legitimate outbound mail across multiple infrastructure blocks but have locked down the final authority with -all.
- DKIM (4 selectors active): Four confirmed DKIM signing selectors (s2, selector1, k2, s1) means Sephora is actively rotating and diversifying signing keys. Attackers cannot forge signatures without access to private key material—DKIM is cryptographically hard.
- MTA-STS missing: MTA-STS enforces encrypted SMTP delivery. Sephora hasn't published an MTA-STS policy, so the SMTP connection between mail servers isn't policy-locked. However, this is a secondary protection; the trio of DMARC+SPF+DKIM is the primary spoofability barrier.
What this means practically
An attacker trying to send mail forged as sephora.com will fail on multiple fronts: SPF will reject the connection if they use an unauthorised server, DMARC will reject mail that lacks DKIM or SPF alignment, and DKIM forgery requires the attacker to have stolen Sephora's private signing keys. In practice, mail receivers (Gmail, Outlook, corporate gateways) will classify or reject spoofed Sephora mail outright. Social engineering attacks impersonating Sephora email are significantly harder.
Bottom line: Sephora has implemented the defensive triad correctly and enforces it; spoofing their email domain is not a practical risk for most attackers.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:spf1.sephora.com include:spf2.sephora.com include:spf3.sephora.com include:spf4.sephora.com include:spf5.sephora.com -all
Enforced
DKIM presence
found at 4 selectors
DKIM key found at selectors: selector1, k2, s1, s2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.