Spoofability verdict for aa.com
No - aa.com is not practically spoofable.
See the math
American Airlines has built a genuinely protective DMARC posture with strict reject policy, multiple DKIM selectors, and a comprehensive SPF allowlist—making spoofing aa.com email practically difficult for attackers.
- DMARC policy=reject: Hard reject means mail receivers drop unauthenticated messages claiming to be from aa.com, rather than just tagging them as suspicious. This is the strongest stance.
- SPF with softfail (~all): American Airlines maintains a detailed allowlist (22+ legitimate IP ranges and third-party services like Outlook, SAP, and on-premises infrastructure), but ends with softfail rather than hardfail. Softfail means non-aligned mail still gets delivered—just flagged. Hardening this to -all would complete the picture.
- DKIM at 5 selectors: Multiple active selectors (k1, k2, s1, s2, selector2) means mail is cryptographically signed across different systems and refresh cycles. Attackers can't forge these signatures without the private key.
- MTA-STS missing: MTA-STS enforces encrypted, authenticated SMTP delivery. Its absence means an attacker can intercept outbound mail in transit by spoofing the MX record, though DMARC does limit the damage on the receive side.
What this means practically
An attacker can register aa.com lookalike domains or compromise a misconfigured employee account, but impersonating aa.com directly is blocked: recipients checking DMARC/DKIM will reject forgeries outright. SPF's softfail means mail from unlisted IPs might reach spam folders at Gmail or Microsoft, but won't be fully blocked—a minor edge case for sophisticated attackers with internal access. MTA-STS absence is the real vulnerability: an attacker intercepting aa.com's own outbound SMTP could relay aa.com mail, though recipients will still verify the DKIM signature correctly.
Bottom line: American Airlines has strong defenses against direct email spoofing, but should harden SPF to -all and deploy MTA-STS to close the remaining gaps.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 include:spf.protection.outlook.com include:onprem.aa.com include:_spf-dc4.sapsf.com include:spf.aa.com ip4:169.55.103.7 ip4:169.55.103.8 ip4:169.44.200.37 ip4:169.44.200.38 ip4:136.147.176.0/20 ip4:13.111.0.0/18 ip4:70.42.227.151 ip4:70.42.227.152 ip4:146.20.91.152 ip4:146.20.91.153 ip4:66.48.80.132 ip4:204.232.172.40 ip4:161.47.34.7 ip4:108.166.43.0/24 ip4:173.203.2.22 ip4:12.104.201.5 ip4:91.198.224.29/32 ip4:194.37.255.29/32 ~all
Enforced
DKIM presence
found at 5 selectors
DKIM key found at selectors: selector2, s1, s2, k2, k1.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.