wiredepth
Run a check

Spoofability verdict for shopify.com

No - shopify.com is not practically spoofable.

See the math

Shopify's DMARC posture is straightforward: a hard reject policy that stops impersonation at the protocol level. The supporting signals reinforce this, though one gap—missing MTA-STS—leaves room for man-in-the-middle interception on the back end.

  • DMARC p=reject at 100%: Any email claiming to come from shopify.com that fails SPF or DKIM checks will be rejected outright by receivers. This is the strongest DMARC stance and closes the door on forged messages.
  • SPF ~all (softfail): The softfail means unauthorized senders get a warning signal, not a hard block. Combined with p=reject DMARC, this provides a backstop: if both SPF and DKIM fail, DMARC still rejects. But the softfail itself is gentler than -all (hardfail).
  • DKIM at 3 selectors (google, mail, pm): Multiple DKIM selectors found and working means legitimate Shopify infrastructure (Google Workspace, Zendesk, SendGrid) is properly signed. Attackers would need the private keys to forge signatures.
  • MTA-STS absent: No MTA-STS policy means receiving mail servers won't enforce encrypted delivery to Shopify's MX servers. An attacker on the network could intercept email in transit, even if the DMARC signature is valid.

What this means practically

An attacker cannot send email that passes both SPF and DKIM checks impersonating shopify.com; modern mail systems (Gmail, Microsoft 365, etc.) will reject or heavily downrank it. However, if an attacker compromises Shopify's MX infrastructure or intercepts traffic on the wire before delivery, they could still insert malicious messages. The absence of MTA-STS means there's no policy enforcement requiring encrypted handshakes with Shopify's mail servers.

Bottom line: Shopify's DMARC enforcement blocks the standard spoofing playbook, making it extremely difficult to impersonate from outside; deploy MTA-STS to close the remaining in-transit window.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:_spf.google.com include:mail.zendesk.com include:sendgrid.net ~all

Enforced

DKIM presence

found at 3 selectors

inspect →

DKIM key found at selectors: google, mail, pm.

Open

MTA-STS (transport)

mode=none

inspect →

MTA-STS in mode=none (effectively disabled).

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain