wiredepth
Run a check

Spoofability verdict for bbc.com

No - bbc.com is not practically spoofable.

See the math

The BBC has built a fortress around bbc.com's email identity. Their DMARC policy is set to reject at 100% — meaning any email claiming to be from BBC but failing authentication gets turned away by receivers. That's the gold standard for email security, and they're enforcing it consistently.

  • DMARC policy=reject at 100%: Any inbound mail server rejecting email that claims to be from BBC but fails DMARC alignment. Full enforcement (pct=100) with strict alignment rules (adkim=s, aspf=s) means spoofed mail almost never reaches inboxes.
  • SPF softfail (~all): The ~all mechanism is a warning rather than a hard rejection, which normally would be weak. However, it's paired with comprehensive IP ranges (212.58.224.0/19 and 132.185.0.0/16 for BBC's own infrastructure, plus MessageLabs) and DMARC's reject policy makes softfail moot in practice.
  • DKIM at k1 selector: DKIM signature found and verified. Even if an attacker spoofed the From header, they cannot cryptographically sign as BBC without the private key, which DMARC enforcement ensures will be caught.
  • MTA-STS missing: MTA-STS would protect against man-in-the-middle attacks on the SMTP connection itself. Its absence is a minor gap, but does not enable spoofing of the email content itself—that's DMARC's job.

What this means practically

An attacker cannot send email that will be accepted as genuinely from BBC. Mail servers will reject forged BBC email at the gate, before it reaches user inboxes. Even if an attacker guesses the SMTP route, DMARC+SPF+DKIM together mean the message fails authentication checks and gets dropped or spam-foldered by Gmail, Outlook, and other major receivers. The softfail in SPF is a non-issue because DMARC's reject policy is doing the heavy lifting.

Bottom line: BBC's email identity is effectively unspoofable for practical purposes—their reject-mode DMARC policy is comprehensive, enforced at 100%, and backed by working SPF and DKIM.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 ip4:212.58.224.0/19 ip4:132.185.0.0/16 +include:spf.messagelabs.com ~all

Enforced

DKIM presence

found at 1 selector

inspect →

DKIM key found at selector: k1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain