wiredepth
Run a check

Spoofability verdict for target.com

No - target.com is not practically spoofable.

See the math

Target has deployed a straightforward, effective email authentication baseline. A hard DMARC reject policy backed by valid DKIM selectors makes spoofing extremely difficult in practice, even though SPF allows graceful fallback and MTA-STS is absent.

  • DMARC policy=reject (enforced): Hard reject instruction tells receiving mailservers to drop mail that fails DMARC checks. This is the nuclear option and it works—legitimate mail that doesn't align stays out entirely.
  • SPF ~all (softfail, partial strictness): Softfail allows mail from unauthorised SPF hosts to still be delivered, but marked suspicious. This is lenient by design, likely to accommodate pardot.com and third-party campaign mail. Doesn't hurt; doesn't strengthen the posture.
  • DKIM at 6 selectors (enforced): Multiple valid DKIM keypairs (mandrill, k1, selector1, selector2, s2, s1) means an attacker would need to compromise multiple keys to pass DKIM checks. Enforced strictness means Target requires valid DKIM alignment to match domain.
  • MTA-STS missing: MTA-STS would prevent downgrade attacks on the SMTP connection itself. Its absence leaves a small gap, but DMARC+DKIM already blocks the email itself from being spoofed.

What this means practically

An attacker cannot realistically spoof mail from target.com. To succeed, they'd need to forge a DKIM signature (requires key compromise) *and* pass DMARC alignment checks. The SPF softfail gives no advantage—Gmail, Outlook, and most corporate receivers honour the hard DMARC reject regardless. Compromised Mandrill or Pardot credentials would be the only practical attack surface, and that's a credential theft problem, not an authentication gap.

Bottom line: Target's DMARC reject + multi-selector DKIM is a textbook retail-grade authentication setup; spoofing is not a viable threat.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com include:aspmx.pardot.com ~all

Enforced

DKIM presence

found at 6 selectors

inspect →

DKIM key found at selectors: selector2, k1, mandrill, s2, s1, selector1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain