wiredepth
Run a check

Spoofability verdict for traderjoes.com

Yes - traderjoes.com is spoofable today.

See the math

Trader Joe's has the infrastructure in place to sign its emails and specify SPF boundaries, but has deliberately chosen not to enforce either standard. A DMARC policy set to "none" means the company receives reports about spoofing attempts but takes no action to block them.

  • DMARC policy=none: No enforcement; receivers are told to accept mail from impersonators. The policy neither rejects nor quarantines messages that fail DMARC authentication.
  • SPF ~all (softfail): SPF is configured but ends with a soft-fail rather than hard-fail. This permits mail from unauthorized senders and is treated as advisory by most mailbox providers.
  • DKIM enforced (3 selectors found): DKIM signatures are present on outbound mail, which makes it cryptographically verifiable. However, this only protects against spoofing if DMARC enforces it.
  • MTA-STS missing: No MTA-STS policy means there's no negotiated encryption requirement for incoming mail. This doesn't directly enable spoofing but leaves SMTP transport unshielded.

What this means practically

An attacker can send email claiming to be from Trader Joe's, and it will arrive in most inboxes without warning or filtering. Because SPF is a soft-fail, legitimate traffic from minor mail senders may also bounce; because DMARC is p=none, neither enforcement nor rejection occurs. Gmail, Outlook, and corporate mail servers see Trader Joe's DMARC policy and understand that spoofed messages are acceptable. Phishing campaigns using traderjoes.com as a sender are unlikely to be blocked automatically.

Bottom line: Trader Joe's has built the technical tools to fight spoofing but elected not to use them; switching DMARC to p=quarantine or p=reject would immediately close this gap.

What we measured

Open

DMARC policy

p=none

inspect →

DMARC at p=none. Receivers are told NOT to act on auth failures; spoofed mail will not be blocked.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 mx ip4:216.52.248.192/28 ip4:12.53.199.64/28 ip4:64.94.106.0/28 ip4:4.28.146.64/28 ip4:173.9.62.80/28 ip4:68.232.128.0/19 include:_spf.google.com include:spf.protection.outlook.com exists:%{i}.spf.traderjoes.iphmx.com ~all

Enforced

DKIM presence

found at 3 selectors

inspect →

DKIM key found at selectors: s1, s2, selector1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish a DMARC record. Start at p=none with a rua= report destination to gather data, then progress to p=quarantine and p=reject.
  2. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  3. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain