wiredepth
Run a check

Spoofability verdict for att.com

No - att.com is not practically spoofable.

See the math

AT&T's email authentication stack is built on a hard reject policy—the gold standard for preventing spoofed messages from reaching inboxes. DMARC p=reject combined with enforced SPF and DKIM validates that messages claiming to come from att.com actually do.

  • DMARC p=reject (enforced): This policy tells email receivers to reject any message that fails DMARC authentication—no second chances, no spam folder. AT&T's lack of percentage modifiers means this applies to 100% of inbound mail.
  • SPF ~all (softfail): The softfail (~all) is a minor inconsistency: SPF says 'maybe accept failures' but DMARC says 'reject them anyway'. The include mechanism delegates validation to a third-party provider, a common pattern for large organisations. This softfail doesn't weaken the overall picture because DMARC is enforced.
  • DKIM s1, s2 (enforced): Two active DKIM selectors found and working. DKIM cryptographically signs mail so receivers can verify messages weren't modified in transit and actually came from AT&T's infrastructure.
  • MTA-STS (missing): MTA-STS protects the delivery channel itself by forcing encrypted connections to AT&T's mail servers. Its absence is a minor gap—spoofing is already blocked at the message level—but it's a defence layer that could be added.

What this means practically

An attacker cannot send mail from att.com and have it land in someone's inbox. If they try, Gmail, Microsoft 365, and most enterprise mail systems will reject or quarantine it outright because it will fail DMARC p=reject validation. The attacker would need either AT&T's DKIM private keys (not realistic) or AT&T's SPF infrastructure (equally hard). This is the state spoofing defence should be in: binary. Messages either authenticate or they don't.

Bottom line: AT&T has the configuration right: enforce DMARC reject, sign with DKIM, validate with SPF, and let the rest follow—spoofing att.com is not a practical threat.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com ~all

Enforced

DKIM presence

found at 2 selectors

inspect →

DKIM key found at selectors: s1, s2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain