wiredepth
Run a check

Spoofability verdict for servicenow.com

No - servicenow.com is not practically spoofable.

See the math

ServiceNow has put real teeth into their email authentication posture. A hard-reject DMARC policy paired with enforced DKIM leaves almost no room for a spoofed message to land convincingly in recipient inboxes.

  • DMARC policy=reject (enforced): Messages that fail DMARC alignment are flatly rejected. This is the strongest DMARC stance, and it's the backstop that makes spoofing ServiceNow's domain impractical for mass delivery.
  • SPF redirect to 8sfr6od._spf._d.mim.ec (neutral qualifier): SPF redirects to an external reference, which is legitimate but means authentication depends on that external record. The neutral qualifier gives some flexibility, but DMARC's reject policy makes this less critical.
  • DKIM: 4 selectors found (k1, dkim, s2, s1): ServiceNow maintains multiple active DKIM signers, making key rotation and operational resilience easier. All signatures must validate against enforced DMARC alignment.
  • MTA-STS: mode missing: No MTA-STS record detected. This means there's no machine-readable policy enforcing secure transmission to ServiceNow's mail servers—though DMARC rejection still catches spoofed mail at delivery.

What this means practically

An attacker trying to impersonate ServiceNow faces a hard wall: DMARC's reject policy means mail servers will discard unauthenticated messages claiming to come from servicenow.com, or messages with a domain that fails SPF/DKIM checks. Even if they compromise a third-party sender that ServiceNow legitimately uses, the DMARC alignment requirement forces signatures to match servicenow.com itself. In practice, spoofed ServiceNow mail will land in junk folders or be outright rejected by Gmail, Microsoft 365, and most enterprise mail systems.

Bottom line: ServiceNow has nailed the fundamentals—DMARC reject + DKIM enforcement stops impersonation at scale, even if the missing MTA-STS leaves a small gap in transit security.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

?all (neutral)

inspect →

SPF record present but has no terminal mechanism. Behaviour at receivers is unspecified.

v=spf1 redirect=8sfr6god._spf._d.mim.ec

Enforced

DKIM presence

found at 4 selectors

inspect →

DKIM key found at selectors: k1, dkim, s1, s2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain