Spoofability verdict for wayfair.com
Maybe - wayfair.com is partially protected.
See the math
Wayfair has built a solid DMARC and SPF foundation—but then stopped short of the final lock. The pieces are in place, but there's a gap that leaves room for email-based social engineering.
- DMARC p=quarantine at 100%: Wayfair enforces quarantine on all non-authenticated mail claiming to be wayfair.com. This blocks the worst impersonation attempts at receiver level, though not perfectly—it depends on the mail provider implementing the policy.
- SPF hardfail (-all): SPF is configured to reject outright any email claiming to be from wayfair.com that doesn't come from Wayfair's authorised IP ranges (their own systems, Outlook, Pardot, Salesforce, Google Workspace). This is a hard stop.
- DKIM at 6 selectors: Multiple DKIM signing keys (k1, google, pm, s2, selector2, s1) suggest a mature, multi-vendor email infrastructure. An attacker would need to compromise one of these signing keys to forge a valid signature.
- DMARC relaxed alignment (adkim=r, aspf=r): Relaxed alignment means Wayfair's DMARC passes if the 'From' domain matches either the SPF/DKIM domain *or a subdomain*. This adds flexibility for complex mail flows but gives an attacker more room to spoof sister domains like "wayfair-mail.com".
- MTA-STS not deployed: MTA-STS would force other mail servers to encrypt connections to Wayfair's mail infrastructure and validate TLS certificates. Without it, inbound mail can be downgraded to cleartext or intercepted in transit—a missing layer against man-in-the-middle attacks.
What this means practically
An attacker cannot easily send an email from wayfair.com itself—SPF and DKIM will block it unless they've compromised Wayfair's infrastructure. However, they *can* register wayfair-mail.com or wayfair.co and send from there; relaxed DMARC alignment won't stop the DMARC policy from being applied to a related domain, but user perception and domain similarity are the real risk. Additionally, an attacker intercepting mail in transit (via BGP hijacking or network compromise) won't face encryption enforcement, making data theft easier. Most damage from Wayfair spoofing will come from look-alike domains, not direct spoofing.
Bottom line: Wayfair has stopped impersonation of wayfair.com itself, but hasn't added the encryption layer (MTA-STS) that would stop interception attacks, and relaxed DMARC alignment creates confusion around sister domains.
What we measured
Partial
DMARC policy
p=quarantine
DMARC at p=quarantine. Spoofed mail goes to spam but is not rejected.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:spf.wayfair.com include:spf.protection.outlook.com include:et._spf.pardot.com include:_spf.salesforce.com include:_spf.google.com -all
Enforced
DKIM presence
found at 6 selectors
DKIM key found at selectors: k1, google, pm, s2, selector2, s1.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Move DMARC to p=reject pct=100 once your rua reports show no legitimate-sender failures.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.