We audited the primary domains behind Elon Musk’s operating companies — tesla.com, spacex.com, starlink.com, x.com, twitter.com, x.ai, neuralink.com, and boringcompany.com — using audit.emailmenow.com. Each domain was scored on SPF, DKIM, DMARC, MTA-STS/TLS, and website security headers.
These brands communicate with millions of customers, employees, and investors. Weak email authentication on any one domain creates spoofing risk for account recovery, billing, recruiting, and media impersonation.
In this audit, scores ranged from 90% to 60% across 8 domains (updated 82% high after the June 18 re-audit below).
6/18/2026 update
SpaceX overall score climbed from 66% to 82% (+16 points) in a fresh re-audit via audit.emailmenow.com (?fresh=1, cache bypassed). The gain was driven by website security: spacex.com moved from 45% to 100% — likely HSTS, CSP, and related header fixes deployed since the June 14 baseline. SpaceX moved from a tie at #6 to #3 in the portfolio.
The other seven domains were unchanged in this run. Starlink remains #1 at 90% with a 100% website score — noteworthy as IPO speculation puts billing and investor-facing domains in the crosshairs for spoofing and business email compromise.
| Company | Domain | Overall (Jun 14) | Overall (Jun 18) | Website (Jun 14) | Website (Jun 18) | Change |
|---|---|---|---|---|---|---|
| SpaceX | spacex.com | 66% | 82% | 45% | 100% | +16 pts overall |
Domain Security Scores
Updated June 18, 2026 for SpaceX; other domains per June 14 baseline.
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Company | Domain | Overall Score | Website Score | Performance Level |
|---|---|---|---|---|---|
| 1 | Starlink | starlink.com | 90% | 100% | Strong |
| 2 | Neuralink | neuralink.com | 84% | 92% | Good |
| 3 | SpaceX | spacex.com | 82% | 100% | Good |
| 4 | xAI | x.ai | 81% | 100% | Good |
| 5 | X (x.com) | x.com | 70% | 45% | Good |
| 5 | Twitter (legacy) | twitter.com | 70% | 45% | Good |
| 7 | Tesla | tesla.com | 66% | 45% | Above Average |
| 8 | The Boring Company | boringcompany.com | 60% | 45% | Above Average |
Website Security Scores
Scores ranged from 100% to 45%; 4 of 8 reached the 100% ideal and 4 scored below 60% (SpaceX updated June 18).
| Rank | Company | Domain | Website Score | Rating |
|---|---|---|---|---|
| 1 | Starlink | starlink.com | 100% | Strong |
| 1 | SpaceX | spacex.com | 100% | Strong |
| 1 | xAI | x.ai | 100% | Strong |
| 4 | Neuralink | neuralink.com | 92% | Strong |
| 5 | X (x.com) | x.com | 45% | Below Average |
| 5 | Twitter (legacy) | twitter.com | 45% | Below Average |
| 5 | Tesla | tesla.com | 45% | Below Average |
| 5 | The Boring Company | boringcompany.com | 45% | Below Average |
What the Results Reveal
- Starlink (90%) and Neuralink (84%) lead the portfolio on email-authentication basics; SpaceX (82%) moved to #3 after website hardening on June 18.
- Website vs. email gap: Starlink, SpaceX, and xAI now score 100% on website headers; Tesla, X, Twitter, and Boring Company remain at 45% — missing or weak HSTS/CSP protections drag overall ratings.
- x.com and twitter.com both score 70% — the legacy Twitter domain remains independently configured after the rebrand to X.
- Tesla (66%) is now the lowest among the major consumer brands in the set, tied above The Boring Company (60%).
- The Boring Company (60%) is the lowest-scoring domain — still above the sub-50% range where spoofing risk spikes.
Attack exposure across the portfolio
Domains scoring near 60% combine weak identity enforcement, missing inbound transport protections, and sub-60% website hardening. Without naming specific organizations, entities in that tier are disproportionately exposed to:
- Multi-brand spoofing — separate consumer domains (billing, social, recruiting) each create independent impersonation risk if DMARC is not enforced per domain.
- Business email compromise (BEC) — spoofed messages appearing to come from executives or accounts payable, used to redirect wires and ACH payments.
- Brand impersonation phishing — fake billing, HR, and vendor notices that pass visual inspection because DMARC and SPF are not fully enforced.
- Credential harvesting — login pages linked from forged
@company.commail aimed at employees, contractors, and customers. - Invoice and procurement fraud — altered payment instructions sent to finance teams and partners who trust the corporate domain.
- Account-recovery abuse — password-reset and MFA prompts triggered from impersonated sender addresses.
- Inbound mail downgrade attacks — absence of enforced MTA-STS allows opportunistic TLS stripping on messages destined for the organization.
- Clickjacking and session risks — missing HSTS, CSP, and frame protections on the public site increase browser-side attack surface for visitors and logged-in users.
- Supply-chain targeting — partners who whitelist the domain for deliverability become secondary victims when spoofed mail originates unchecked.
- Header gaps at scale — 4 of 8 domains scored below 60% on website security in this audit. Clickjacking and session risks are not confined to the bottom tier; many names share a 45% website score — the same floor shared by 3 other domains in this audit.
These are not theoretical edge cases. State breach portals and FBI IC3 reporting consistently tie weak email authentication and header gaps to measurable financial loss at large enterprises.
Real attacks, told as stories
The stories below are made up, but they are based on real crimes that police and cybersecurity teams see every year. No Elon Musk company domain is named. Each story shows how weak domain settings can hurt real people — customers, investors, and job seekers who interact with Tesla, SpaceX, Starlink, X, and related brands.
Story 1: Maria and the payment that was not real

Maria works in billing operations at a Starlink reseller processing enterprise satellite invoices.
On a Tuesday morning, she gets an email that looks normal:
From: accounts-payable@bigbrand.com
Subject: Updated ACH details for Q2 service billing
The logo looks right. The tone sounds like past billing notices from the brand. A PDF lists a new routing number.
Maria does not know that bigbrand.com has weak email security. A stranger sent the message from their own server and pretended to be the big brand. That is called brand impersonation.
She approves a $284,000 wire. The money goes to the attacker, not the real company.
The next day, the same fake sender emails two more partners Maria knows from partner forums. One ignores it. One also changes bank details. That is supply-chain targeting — hurting partners by faking the main organization’s name.
Attack vectors in this story: brand impersonation · invoice and procurement fraud · supply-chain targeting · business email compromise (BEC)
Simple fix: Strict DMARC (p=reject), SPF (-all), and a rule that every bank change needs a phone call to a known contact — not just email.
Story 2: Jordan clicks “reset password”

Jordan is a Tesla delivery coordinator managing customer account access. On Wednesday at 2 p.m., his phone buzzes:
From: it-security@bigbrand.com
Subject: Reset your password in 2 hours or lose access
Jordan is busy. The email looks like IT mail he has seen before. He clicks the link.
The page looks like his company login. It is not. It is a copy on a similar-looking website (bigbrand-secure.com). He types his username and password. The attacker saves them.
This is account-recovery abuse and credential harvesting. The criminal used a fake “reset your account” message because people trust mail from @company.com.
That night, the attacker signs into Jordan’s mailbox and reads old threads about a vehicle purchase escrow release. On Thursday, they email the CFO’s assistant:
From: cfo@bigbrand.com
Subject: Urgent — confidential wire for escrow
That is BEC — business email compromise. The assistant almost approves it. A bookkeeper asks, “Did you talk to the CFO on the phone?” The wire stops. Jordan still has to change every password he reused.
Attack vectors in this story: account-recovery abuse · credential harvesting · business email compromise (BEC)
Simple fix: DMARC p=reject, train staff that IT will never rush a reset by email alone, and require a callback before any wire.
Story 3: The contract email no one knew could be copied

Priya is an investor-relations contractor emailing draft IPO materials. She emails a investor FAQ draft to an inbox at @bigbrand.com. The send button works. Her screen says Delivered.
What Priya cannot see: on part of the internet path, the mail server connection was downgraded from locked (TLS) to unlocked. Without MTA-STS set to mode=enforce, the recipient’s mail system still accepts the message. An attacker on that path can copy attachment text in plain form.
This is an inbound mail downgrade attack. Most people worry about fake outgoing email. MTA-STS protects incoming mail — mail sent to your organization.
Priya’s communications team sees green checkmarks in their dashboard. Nothing looks wrong. Weeks later, rumor sites publish financing terms before the official announcement. The leak might have started on the wire, not in someone’s inbox.
Attack vector in this story: inbound mail downgrade (no MTA-STS)
Simple fix: Publish MTA-STS in enforce mode and turn on TLS-RPT reports so IT gets alerted when encryption fails.
Story 4: Alex applies for a job online

Alex is a college senior. He is already logged into his school portal in one browser tab. In another tab, he opens a job post: “Join the team — fast-track application for Starlink / SpaceX.”
The site asks him to “confirm your profile” on what looks like the real company careers page. He clicks.
He does not know the page is a trap. The real login screen is hidden inside an invisible frame on a scam site. That trick is called clickjacking. The company’s website scored 45% on security headers — a floor shared by 4 of 8 domains in this audit, missing strong HSTS, CSP, and frame blocking.
Alex thinks he is on the real site. He is really interacting with a layer the attacker controls. If he had been logged into the company’s vendor portal in another tab, the same trick could hijack that session.
No phishing email was needed. The attack lived on the website, not in the inbox.
Attack vectors in this story: clickjacking · session risks (missing HSTS/CSP)
Simple fix: Add HSTS, Content-Security-Policy, and frame-ancestors / X-Frame-Options so login pages cannot be embedded on random sites.
How the stories connect
All four stories can hit one organization with a weak audit score (near 60%):
| Story | Who got hurt | Main gap |
|---|---|---|
| Maria (partner) | Outside partners | Fake mail from your domain |
| Jordan (employee) | Inside staff | Fake password-reset mail |
| Priya (professional) | Confidential data in transit | Incoming mail not forced to stay encrypted |
| Alex (visitor) | Website visitors | Login page can be framed by attackers |
Together, that is not one bug — it is a pattern. Fixing it means better DNS (DMARC, MTA-STS), better website headers, and better office rules (call back before you wire).
Cross-portal breach context
Several of these organizations also appear on state AG breach portals. Tesla, Inc. is listed on the California AG breach list; Carnival and other national brands audited in our Washington AG tracker illustrate how large consumer brands surface in multi-state filings.
Why This Matters
High-visibility domains attract targeted phishing. Customers expect email from tesla.com for delivery and service updates, from starlink.com for billing, and from x.com / twitter.com for account notices. Without enforced DMARC, attackers can impersonate those senders in credential-harvesting campaigns.
Verify any domain at audit.emailmenow.com.
See also
Recommendations
- Align twitter.com and x.com to a single enforced DMARC policy where mail still originates from both brands.
- Move consumer-facing domains below 70% toward
p=rejectDMARC and strict SPF. - Monitor subsidiary domains (starlink.com vs spacex.com) as separate mail-sending identities.
Methodology: Domains audited 2026-06-14 via audit.emailmenow.com. SpaceX re-audited 2026-06-18. Overall score = identity×0.40 + website×0.30 + endpoint×0.20 + email infrastructure×0.05 + transport×0.05.