Spoofability verdict for apple.com
Maybe - apple.com is partially protected.
See the math
Apple.com has assembled a solid foundation for email authentication, but left a critical door open: DMARC quarantine without strict alignment rules and a missing MTA-STS policy mean attackers can still pass plausible-looking mail from Apple domains into inboxes.
- DMARC policy=quarantine: Quarantine is a strong choice: it catches authentication failures without outright rejecting mail. However, Apple hasn't set adkim or aspf alignment requirements, so DMARC defaults to 'relaxed' alignment—meaning a message can pass even if the domain signing it is only loosely related to apple.com.
- SPF ~all (softfail): SPF includes two Apple-controlled ranges and ends with a softfail (~all), not a hardfail (-all). Softfail is a warning; receivers are free to ignore it. An attacker sending from a random IP will fail SPF, but won't trigger hard rejection.
- DKIM at 2 selectors (selector1, selector2): DKIM signing is in place and enforced on mail from these selectors. DKIM is cryptographically sound—an attacker can't forge a valid signature without Apple's private keys.
- MTA-STS missing: MTA-STS forces TLS encryption and verifies certificates when mail servers talk to each other. Apple doesn't publish an MTA-STS policy, leaving the connection step vulnerable to interception or downgrade attacks.
What this means practically
An attacker can send mail that passes SPF by spoofing an internal Apple address, or craft a message that validates DKIM if they're signing with a compromised key or one of the exposed selectors. More likely: they'll send from attacker-controlled infrastructure but include a From: header claiming apple.com. Gmail and M365 will pass this through authentication checks—the softfail won't stop them—but DMARC quarantine may (with some probability) push it to spam. Casual recipients won't distinguish it from real Apple mail. Lack of MTA-STS also means an attacker positioned between Apple's mail servers and a recipient's mail server can intercept and modify mail in transit.
Bottom line: Apple.com has mid-level protection: strong enough to block the crudest spoofing attempts, but weak enough that determined or well-positioned attackers can still pose as Apple and reach inboxes at scale.
What we measured
Partial
DMARC policy
p=quarantine
DMARC at p=quarantine. Spoofed mail goes to spam but is not rejected.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 include:_spf.apple.com include:_spf-txn.apple.com ~all
Enforced
DKIM presence
found at 2 selectors
DKIM key found at selectors: selector1, selector2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Move DMARC to p=reject pct=100 once your rua reports show no legitimate-sender failures.
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.