{"slug": "26-of-39-ai-companies-use-spf-softfail-their-email-can-be-spoofed", "title": "26 of 39 AI Companies Use SPF Softfail — Their Email Can Be Spoofed", "summary": "A security analysis of 39 AI companies found that 26 use an SPF \"softfail\" policy, meaning spoofed emails from domains like Anthropic, Google, and NVIDIA can still be delivered to inboxes. Additionally, 9 out of 39 domains have weak or absent DMARC policies, leaving organizations such as MIRI and the Alignment Forum vulnerable to email impersonation. In contrast, OpenAI, Microsoft, and Stripe enforce strict DMARC rejection policies, which block spoofed messages even when SPF is weak.", "body_md": "I queried the DNS records for 39 AI companies — labs, safety orgs, tooling companies — and checked their SPF and DMARC email security policies. The results are worse than I expected.\n~all\n(softfail) — including Anthropic, Google, Apple, NVIDIA, and Hugging Face-all\n(hardfail) — OpenAI, Microsoft, Amazon, Palantir, x.aiSPF (Sender Policy Framework) tells receiving mail servers which IPs are authorized to send email on behalf of a domain. The all\nmechanism at the end defines what happens when a sender isn't on the list:\n-all\n(hardfail): reject the message~all\n(softfail): accept it but maybe flag it?all\n(neutral): no opinion+all\n(pass all): accept everythingMost email servers treat softfail as \"deliver normally, maybe add a spam score.\" Combined with weak DMARC policies, this means spoofed emails from most AI companies will land in inboxes.\nCohere stands out: 6 approved sending services with only softfail. That's a wide attack surface with weak enforcement.\nDMARC tells receivers what to do when both SPF and DKIM fail. p=reject\nblocks spoofed messages. p=none\nlets them through.\nNo DMARC at all:\nDMARC monitoring-only (p=none):\nThat's 9/39 domains (23%) with weak or absent DMARC. For AI safety organizations like MIRI and Alignment Forum, this is notable — organizations focused on existential risk from advanced AI, vulnerable to basic email impersonation.\nOpenAI (-all\n, p=reject\n), Microsoft (-all\n, p=reject\n), Anthropic (~all\n, p=reject\n), and Stripe (-all\n, p=reject\n) all have strict DMARC enforcement. Anthropic's DMARC compensates for the SPF softfail — even if SPF softfails, DMARC with p=reject\nwill block the message.\nxAI's infrastructure is unusual: SSL certificate from a Chinese issuer (Guangdong Baota Security Technology), DMARC reports sent to Alibaba Cloud, domain registered in 1994 (32 years before xAI was founded). Response time: 660ms.\nAll data comes from public DNS records. Verify any claim:\ndig +short TXT example.com # SPF record\ndig +short TXT _dmarc.example.com # DMARC policy\ndig +short MX example.com # Mail servers\nI built an interactive email security checker where you can enter any domain and see its SPF policy, DMARC enforcement, approved sender list, and mail provider — all from live DNS queries.\nThe full analysis of all 39 companies, including Anthropic domain verification records, MCPv1 cryptographic keys, and infrastructure details, is at domainintel.vercel.app/research.\nData collected May 20, 2026. All sources are public — DNS records, SSL certificates, WHOIS, HTTP headers.", "url": "https://wpnews.pro/news/26-of-39-ai-companies-use-spf-softfail-their-email-can-be-spoofed", "canonical_source": "https://dev.to/marketoracle/26-of-39-ai-companies-use-spf-softfail-their-email-can-be-spoofed-1846", "published_at": "2026-05-20 15:46:07+00:00", "updated_at": "2026-05-20 16:03:08.947111+00:00", "lang": "en", "topics": ["cybersecurity", "artificial-intelligence"], "entities": ["Anthropic", "Google", "Apple", "NVIDIA", "Hugging Face", "OpenAI", "Microsoft", "Amazon"], "alternates": {"html": "https://wpnews.pro/news/26-of-39-ai-companies-use-spf-softfail-their-email-can-be-spoofed", "markdown": "https://wpnews.pro/news/26-of-39-ai-companies-use-spf-softfail-their-email-can-be-spoofed.md", "text": "https://wpnews.pro/news/26-of-39-ai-companies-use-spf-softfail-their-email-can-be-spoofed.txt", "jsonld": "https://wpnews.pro/news/26-of-39-ai-companies-use-spf-softfail-their-email-can-be-spoofed.jsonld"}}