Spoofability verdict for americanexpress.com
No - americanexpress.com is not practically spoofable.
See the math
American Express has built a fortress around its sending domain with enforced DMARC reject and SPF hardfail. These are the two highest-friction signals an attacker must overcome, and they work in concert to make spoofing americanexpress.com effectively impossible at scale.
- DMARC p=reject (enforced): Any message claiming to be from americanexpress.com that fails DMARC authentication will be rejected outright by compliant receivers. This is the gold standard and leaves no room for policy ambiguity.
- SPF -all hardfail (enforced): Only mail from the explicitly listed IP ranges (63.241.217.23, two /24s from 74.125.x.x, and others) will pass SPF. Any other sender fails immediately and is typically rejected or heavily filtered.
- DKIM: no selectors found: We did not locate DKIM signing keys at common selector names. This doesn't weaken the posture—DMARC p=reject and SPF hardfail already block spoofing—but it does mean DKIM is either using uncommon selector names or not deployed for this domain.
- MTA-STS: not deployed: MTA-STS protects against downgrade attacks on the mail transport layer, but its absence doesn't create a spoofability opening when DMARC and SPF are this tight.
What this means practically
An attacker cannot realistically impersonate americanexpress.com in recipient inboxes. Spoofed mail will fail SPF (wrong source IP), fail DMARC (no valid signature), and be rejected by any modern email receiver that enforces these standards. Gmail, Microsoft 365, and enterprise gateways will block or quarantine these messages before they reach users. The only residual risk is very old mail servers that don't check DMARC or SPF, which are increasingly rare in practice.
Bottom line: American Express is a textbook example of email authentication done right—attackers cannot spoof this domain at any meaningful scale.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 ip4:63.241.217.23 ip4:74.125.149.0/24 ip4:74.125.150.0/24 ip4:66.119.44.14 ip4:66.119.44.13 ip4:66.244.67.0/24 ip4:199.3.18.4 ip4:148.173.88.0/26 ip4:148.173.96.128/26 -all
Open
DKIM presence
no key found at common selectors
No DKIM key found at any of the 22 common selectors. (Your domain may publish a DKIM key at a less-common selector - this is a heuristic, not exhaustive.)
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Confirm DKIM is configured. We didn't find a key at the common selectors; if you do publish DKIM, the selector you use isn't in our probe list - that's fine, but worth verifying with your mail provider.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.