wiredepth
Run a check

Spoofability verdict for workday.com

No - workday.com is not practically spoofable.

See the math

Workday's email authentication is remarkably solid. The company has deployed DMARC at enforce strength, combined with a working SPF and multiple DKIM selectors, making legitimate impersonation extremely difficult.

  • DMARC policy=reject (enforced): Workday's DMARC policy is set to reject, meaning any mail failing DMARC checks will be outright rejected by receiving mail servers, not delivered to spam. This is the strongest possible posture and catches most spoofing attempts at the receiver's gate.
  • SPF with softfail (~all): While SPF uses softfail rather than hardfail, Workday's SPF includes sophisticated proxy validation logic that checks sending IP against both the domain's own SPF record and custom EHLO-based rules, making it difficult for unauthorised IPs to pass checks in practice.
  • DKIM at 4+ selectors (k1, mandrill, selector1, k2): Multiple active DKIM selectors mean Workday rotates signing keys and can revoke compromised ones without breaking email flow. This indicates mature cryptographic hygiene.
  • MTA-STS missing: MTA-STS would prevent downgrade attacks on TLS during delivery, but its absence doesn't undermine Workday's strong DMARC + SPF + DKIM posture for spoofing prevention specifically.

What this means practically

An attacker cannot realistically spoof a Workday email. They would need to forge an SPF pass (difficult given the proxy validation layer), forge a DKIM signature (requires a private key Workday rotates regularly), or both fail DMARC and still have mail accepted—which won't happen with a reject policy in place. Legitimate Workday infrastructure is already signed and authenticated, so receivers see mail that passes cleanly.

Bottom line: Workday has implemented email authentication correctly at every layer; spoofing their domain is not a practical risk.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:workday.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all

Enforced

DKIM presence

found at 4 selectors

inspect →

DKIM key found at selectors: mandrill, k2, k1, selector1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain