Spoofability verdict for udemy.com
No - udemy.com is not practically spoofable.
See the math
Udemy has built a robust email authentication posture that makes spoofing practically impossible—even for well-resourced attackers. The combination of enforced DMARC rejection, SPF hard-fail, and multiple DKIM selectors working in concert creates a high bar.
- DMARC p=reject at 100%: DMARC is set to reject all mail that fails authentication checks, applied to 100% of traffic. This is the gold standard: receivers are instructed to refuse email that can't prove it came from Udemy's infrastructure.
- SPF -all (hard-fail): SPF uses a hard-fail qualifier (-all), meaning any mail server not explicitly listed (Google, Marketo, SaaS Zendesk, Salesforce) will be rejected. This prevents attackers from using unlisted infrastructure to send mail appearing to come from udemy.com.
- DKIM: 5 selectors found (default, google, k2, s1, s2): DKIM signing with multiple selectors means Udemy signs most of its outbound mail with cryptographic keys. An attacker would need to compromise one of these private keys to forge a valid signature—practically infeasible.
- MTA-STS mode=none: MTA-STS is not enabled, meaning there's no policy enforcing encrypted connections to Udemy's mail servers. This doesn't affect spoofing directly, but it leaves the mail transmission path open to downgrade attacks if an attacker controls network routing.
What this means practically
An attacker cannot realistically send mail that will pass both SPF and DMARC checks with Udemy's domain. Gmail, Outlook, and other major providers will reject or heavily flag any forged mail. The attacker's only practical avenue would be to compromise Udemy's actual mail infrastructure or steal a DKIM private key—both far beyond the typical impersonation attack. This is defence-in-depth working as intended.
Context for Udemy
Udemy is a commercial education platform, not a university with distributed legitimate senders. A single company-controlled mail topology means Udemy can afford to enforce strict policies without false positives from departmental mail servers or alumni systems.
Bottom line: Udemy is not spoofable via email—their authentication controls are enforced end-to-end and would stop a typical impersonation attack cold.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:_spf.google.com include:mktomail.com include:spf.mtasv.net include:mail.zendesk.com include:_spf.salesforce.com -all
Enforced
DKIM presence
found at 5 selectors
DKIM key found at selectors: default, google, k2, s1, s2.
Open
MTA-STS (transport)
mode=none
MTA-STS in mode=none (effectively disabled).
How to make it un-spoofable
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.