wiredepth
Run a check

Spoofability verdict for ups.com

No - ups.com is not practically spoofable.

See the math

UPS has implemented a hardened email authentication posture that blocks most spoofing attempts at the protocol level. A DMARC reject policy, SPF hardfail, and multiple DKIM selectors work together to create a coherent defense.

  • DMARC policy=reject: UPS enforces DMARC rejection globally. Any email claiming to be from ups.com that fails authentication is rejected outright by receiving mail servers, not quarantined or passed through.
  • SPF hardfail (-all): The SPF record ends with -all, meaning servers that don't match any of the five included IP ranges are explicitly denied. This blocks unauthorized senders from passing SPF checks.
  • DKIM at 4 selectors (k1, s1, s2, selector1): DKIM signing across multiple selectors makes it harder for an attacker to forge email signatures. Even if one selector is compromised, the others remain protected.
  • MTA-STS missing: MTA-STS is not deployed, which means there's no policy for encrypting SMTP connections between mail servers. This doesn't undermine the authentication signals above, but it leaves transport security undefended against network-level interception.

What this means practically

An attacker cannot forge a UPS email in a way that will reach inboxes at Gmail, Outlook, Yahoo, or corporate mail systems. The DMARC reject policy ensures rejection happens before the message ever reaches a user's spam folder. Spear-phishing attempts, invoice fraud, and delivery scam emails claiming to be from UPS would need to compromise one of UPS's authorized IP ranges (outlined in the SPF record) or steal a DKIM private key to succeed. Without those, forgeries are dead on arrival.

Bottom line: UPS is not spoofable—the authentication stack is tight, and the DMARC reject policy is enforced uniformly.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com include:spf-002b8001.pphosted.com include:spf-002b8002.pphosted.com include:spf-002b8003.pphosted.com include:spf-002b8004.pphosted.com -all

Enforced

DKIM presence

found at 4 selectors

inspect →

DKIM key found at selectors: k1, s2, selector1, s1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain