wiredepth
Run a check

Spoofability verdict for twilio.com

No - twilio.com is not practically spoofable.

See the math

Twilio has assembled a strong, multi-layered defence against email spoofing. The combination of a hard DMARC reject policy, enforced DKIM across multiple signing keys, and strict SPF alignment makes it practically impossible for an attacker to forge Twilio email at scale.

  • DMARC p=reject (enforced): DMARC reject means any message claiming to be from Twilio that fails authentication is rejected outright by receiving mail servers. This is the gold standard; no wiggle room for attackers.
  • SPF ~all (softfail): SPF softfail (~all) means unauthenticated mail from Twilio's IP ranges gets flagged but not blocked. This is weaker than hardfail (-all), but Twilio's DMARC reject policy compensates by enforcing authentication at the end-to-end level, not just SPF lookup.
  • DKIM at k1, k2, s1, s2 selectors (enforced): Multiple DKIM signing keys across different selectors means Twilio can rotate keys and support multiple systems without breaking validation. Attackers cannot forge DKIM signatures without the private keys.
  • MTA-STS mode=none: MTA-STS is an optional signal that forces TLS encryption during mail transit. Mode=none means Twilio is not enforcing it. However, this is a transit-level concern, not a spoofing concern, and doesn't weaken authentication.

What this means practically

An attacker attempting to spoof Twilio email will fail at every major receiving mail server (Gmail, Outlook, corporate gateways). The hard DMARC reject policy means spoofed mail never reaches a user inbox—it gets silently discarded. Even if an attacker somehow bypassed SPF, they cannot produce valid DKIM signatures without Twilio's private keys. In practice, any large-scale spoofing attempt against Twilio recipients will be caught and dropped.

Bottom line: Twilio's email authentication is robust and well-implemented; spoofing Twilio mail is not a practical attack vector.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:twilio.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all

Enforced

DKIM presence

found at 4 selectors

inspect →

DKIM key found at selectors: k2, k1, s1, s2.

Open

MTA-STS (transport)

mode=none

inspect →

MTA-STS in mode=none (effectively disabled).

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain