wiredepth
Run a check

Spoofability verdict for zoom.us

No - zoom.us is not practically spoofable.

See the math

Zoom has deployed a hardened email authentication posture that stops most spoofing attempts at the receiver's mailbox. This is the standard you'd want from a major SaaS vendor handling user data and brand trust.

  • DMARC p=reject: Mail from zoom.us that fails authentication is rejected outright—no soft landing, no quarantine. Receivers follow this signal and discard spoofed mail rather than deliver it.
  • SPF ~all (softfail): SPF includes five major sending platforms (Google, Amazon SES, Salesforce, Mandrill, Mailchimp) and several IP blocks, but ends with ~all (softfail) rather than -all (hardfail). With DMARC p=reject in place, softfail is adequate—the DMARC policy is the enforcement layer that matters.
  • DKIM at 5 selectors: DKIM signatures found across google, k1, mandrill, s1, s2 selectors. This breadth shows Zoom signs mail from multiple platforms; receivers can verify signatures even if one selector rotates.
  • MTA-STS missing: MTA-STS (enforced TLS to mail servers) is not deployed. This is a gap for in-transit protection, but it doesn't directly enable spoofing—it's about hardening the connection layer, not authentication.

What this means practically

An attacker cannot credibly forge mail from zoom.us and have it land in user inboxes. Any message that fails SPF or DKIM authentication will be rejected by Zoom's DMARC policy at the receiving mail server. Phishing mail impersonating Zoom would either bounce or land in spam folders depending on receiver configuration. Legitimate Zoom operational mail (password resets, meeting invites, billing) goes through their authorized platforms and signs cleanly.

Bottom line: Zoom's email infrastructure is effectively locked down; the combination of p=reject DMARC and DKIM breadth across sending partners makes domain spoofing impractical.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com include:_spf.google.com include:amazonses.com ip4:52.38.191.241 include:servers.mcsv.net include:_spf.salesforce.com include:spf.mandrillapp.com ip4:13.110.78.0/24 ~all

Enforced

DKIM presence

found at 5 selectors

inspect →

DKIM key found at selectors: google, k1, mandrill, s1, s2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain