Spoofability verdict for walgreens.com
Maybe - walgreens.com is partially protected.
See the math
Walgreens has locked down the essentials—SPF hardfail and DMARC quarantine—but left one critical door open: MTA-STS is missing, which means incoming mail servers can't verify that a connection to walgreens.com's mail infrastructure is legitimate.
- DMARC policy=quarantine: Quarantine sends suspected spoofs to the spam folder rather than the inbox. It's the middle ground between permissive (none) and enforcement (reject), and it's appropriate for a large organisation with multiple legitimate senders.
- SPF with -all (hardfail): SPF hardfail blocks email from any server not explicitly listed in the DNS record. Walgreens publishes nine IP addresses and an MTA service lookup, making it hard for attackers to claim they're sending on behalf of walgreens.com from unknown infrastructure.
- DKIM at 3 selectors (mandrill, s1, s2): DKIM signs outbound mail with cryptographic keys so receivers can verify sender identity. Three active selectors suggest multiple sending systems (including Mandrill, a third-party service). This is normal for healthcare organisations, but it doesn't protect inbound mail from spoofing.
- MTA-STS missing: MTA-STS tells mail servers: 'enforce TLS encryption and verify my certificate when you connect to my mail server.' Without it, an attacker can downgrade a connection from secure to plaintext, intercepting mail in transit and potentially injecting spoofed messages.
What this means practically
An attacker cannot easily send email that appears to come from walgreens.com to external recipients—the SPF hardfail and DMARC quarantine combination blocks most impersonation attempts, and Gmail/Microsoft/Yahoo will typically quarantine what gets through. The real risk is mail in transit. Without MTA-STS, a determined attacker using network-level attacks could intercept email sent *to* Walgreens, downgrade the TLS connection, inject malicious content, or relay spoofed messages internally. This is a particular concern for a healthcare brand handling sensitive customer data.
Context for Walgreens
Healthcare organisations often use multiple third-party senders (billing systems, appointment reminders, pharmacies) which is why Mandrill and multiple selectors are expected. However, the missing MTA-STS is a notable gap for an organisation of Walgreens' scale and sensitivity profile.
Bottom line: Walgreens stops most outbound spoofing but leaves inbound mail vulnerable to interception; deploying MTA-STS would close this gap cost-effectively.
What we measured
Partial
DMARC policy
p=quarantine
DMARC at p=quarantine. Spoofed mail goes to spam but is not rejected.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 mx a exists:%{i}.spf.hc2985-66.iphmx.com ip4:204.15.118.179 ip4:204.15.118.161 ip4:199.241.116.20 ip4:131.124.12.147 ip4:204.15.118.155 ip4:204.15.118.158 ip4:159.183.171.24 ip4:34.211.93.3 -allEnforced
DKIM presence
found at 3 selectors
DKIM key found at selectors: mandrill, s1, s2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Move DMARC to p=reject pct=100 once your rua reports show no legitimate-sender failures.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.