wiredepth
Run a check

Spoofability verdict for barclays.com

No - barclays.com is not practically spoofable.

See the math

Barclays has wired their email authentication correctly and in a way that actually stops impersonation. This is how large financial institutions are supposed to do it.

  • DMARC policy=reject (enforced): Barclays enforces DMARC reject—unauthenticated mail claiming to be from barclays.com is refused by receiving servers, not merely flagged. This is the gold standard for preventing domain impersonation.
  • SPF hardfail -all (enforced): SPF is configured to reject mail from any server not explicitly listed (the -all mechanism). Combined with a specific allowlist via pphosted.com, this locks down the sending path.
  • DKIM at 4 active selectors: Four DKIM signing keys in production (default, k1, s1, s2) indicates key rotation hygiene and coverage across multiple mail handlers—making it harder for an attacker to forge valid signatures.
  • MTA-STS missing: MTA-STS enforces encrypted transmission to Barclays' mail server and prevents downgrade attacks. Its absence is a minor gap, but the strong DMARC and SPF posture already stops impersonation at the source.

What this means practically

An attacker cannot realistically impersonate Barclays to customers. Mail servers checking DMARC will reject forged barclays.com mail outright. SPF hardfail means sending from a spoofed address to a major receiver (Gmail, Outlook, corporate filters) will bounce or be quarantined before it reaches a user. The attacker would need to compromise one of Barclays' legitimate outbound mail servers—which is a different threat model (account breach) and not a domain spoofing problem.

Bottom line: Barclays has implemented email authentication correctly at scale, making domain impersonation practically impossible for external attackers.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com -all

Enforced

DKIM presence

found at 4 selectors

inspect →

DKIM key found at selectors: k1, s2, default, s1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain