Spoofability verdict for sony.com
Yes - sony.com is spoofable today.
See the math
Sony has strong SPF enforcement and functional DKIM, but disabled DMARC policy entirely with p=none—the classic misconfiguration that leaves the door open despite having the locks in place.
- DMARC p=none: DMARC policy is set to 'none,' which means even if SPF or DKIM checks fail, Sony's domain will never reject mail and will never instruct receivers to do so. This is the single biggest vulnerability here.
- SPF with -all (hardfail): SPF is correctly enforced with a hardfail qualifier (-all), meaning any mail from sony.com should fail SPF unless sent from one of the ~70 authorised IP ranges listed. Strong foundation—but only works if downstream policy enforces it.
- DKIM at s2 selector: DKIM is present and likely valid (only one active selector found), which means mail signed with s2 can be cryptographically verified. However, DKIM alone doesn't reject unsigned mail.
- MTA-STS missing: No MTA-STS policy in place. This means attackers can downgrade connections to unencrypted SMTP without detection, potentially exposing transit traffic.
What this means practically
Because DMARC is set to p=none, Gmail, Microsoft 365, and other major receivers will not reject mail claiming to be from sony.com even when SPF and DKIM fail. An attacker can send mail that fails both checks, and it will often land in the inbox (though may be flagged as suspicious by some filters). If the attacker also signs with a stolen or re-registered domain certificate, they can appear legitimately DKIM-signed. The lack of MTA-STS means an attacker on the network path can also intercept and modify Sony's outbound mail without triggering detection.
Bottom line: Sony built solid SPF and DKIM foundations but chose not to enforce them—p=none negates their value, and MTA-STS absence creates a second vulnerability on the transport layer.
What we measured
Open
DMARC policy
p=none
DMARC at p=none. Receivers are told NOT to act on auth failures; spoofed mail will not be blocked.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:amazonses.com include:spf.protection.outlook.com include:spfa.sony.com ip4:121.100.43.221 ip4:185.136.188.108 ip4:185.136.189.108 ip4:121.100.43.225 ip4:121.100.43.226 ip4:139.60.152.0/22 ip4:148.105.8.0/21 ip4:160.33.101.112/28 ip4:160.33.194.224/28 ip4:160.33.194.232 ip4:160.33.194.233 ip4:160.33.194.234 ip4:160.33.194.235 ip4:160.33.96.128/28 ip4:185.132.182.190 ip4:185.132.183.11 ip4:185.183.30.70 ip4:198.2.128.0/18 ip4:205.201.128.0/20 ip4:208.74.204.0/22 ip4:212.100.250.11 ip4:212.100.250.16/29 ip4:37.188.101.80/28 ip4:46.19.168.0/23 ip4:5.61.115.112/28 ip4:5.61.115.80/28 ip4:5.61.115.96/28 ip4:5.61.117.112/28 ip4:5.61.117.80/28 ip4:5.61.117.96/28 ip4:52.222.62.51/32 ip4:52.222.73.120/32 ip4:52.222.73.83/32 ip4:52.222.75.85/32 ip4:54.186.193.102/32 ip4:83.138.165.68/31 ip4:91.207.212.191 ip6:2607:fd28:0102:1:1::/80 ip6:2607:fd28:0102:3:300::/80 ip4:101.231.129.3 ip4:101.231.129.4 ip4:3.93.157.0/24 ip4:3.210.190.0/24 ip4:18.208.124.128/25 ip4:54.174.52.0/24 ip4:54.174.57.0/24 ip4:54.174.59.0/24 ip4:54.174.60.0/23 ip4:54.174.63.0/24 ip4:139.180.17.0/24 ip4:141.193.184.32/27 ip4:141.193.184.64/26 ip4:141.193.184.128/25 ip4:141.193.185.32/27 ip4:141.193.185.64/26 ip4:141.193.185.128/25 ip4:143.244.80.0/20 ip4:158.247.16.0/20 ip4:108.179.144.0/20 ip4:66.159.233.15 ip4:66.159.234.91 ip4:66.159.233.14 ip4:66.159.234.90 ip4:66.159.232.89 ip4:143.55.149.237 ip4:66.159.233.25 ip4:66.159.234.101 ip4:101.231.129.43 ip4:216.139.64.0/19 ip4:211.125.130.0/24 ip6:2001:cf8:0:b0::/64 -all
Enforced
DKIM presence
found at 1 selector
DKIM key found at selector: s2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish a DMARC record. Start at p=none with a rua= report destination to gather data, then progress to p=quarantine and p=reject.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.