Spoofability verdict for bt.com
No - bt.com is not practically spoofable.
See the math
BT operates one of the most hardened email authentication postures in the telecom sector. Their DMARC reject policy backed by signed DKIM selectors makes spoofing bt.com emails extraordinarily difficult in practice.
- DMARC policy=reject: DMARC reject means receivers that check authentication must drop mail that fails alignment checks. This is the strongest possible policy and stops forged mail at the receiver, not just moving it to spam.
- SPF softfail (~all): The SPF record includes legitimate BT sending infrastructure (Outlook, internal SMTP, multiple IP blocks) but uses softfail rather than hardfail. Softfail still provides authentication context that DMARC uses to enforce the reject policy, so the gap doesn't weaken the overall stance.
- DKIM at 3 active selectors: BT signs mail with at least three DKIM selectors (selector1, s2, s1). Active DKIM signing means any forged mail without valid signatures will fail alignment checks and trigger the DMARC reject policy.
- MTA-STS in testing mode: MTA-STS enforces TLS for outbound mail delivery and prevents downgrade attacks. Testing mode means it's not yet mandatory, but it's present and operational.
What this means practically
An attacker cannot send convincing mail from bt.com to most recipients. Major mailbox providers (Gmail, Outlook, Yahoo) respect DMARC reject policies and will discard forged mail that fails signature checks. A spoofed bt.com email would need valid DKIM signatures, which require the attacker to possess BT's private signing keys—effectively impossible without insider access. This verdict holds across all common receiver behaviours.
Bottom line: BT has implemented email authentication at near-maximum strictness; spoofing their domain is not a practical threat to most recipients.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 include:spf.protection.outlook.com include:www.thrs.bt.com include:smtp1.bt.com ip4:62.7.242.136/29 ip4:62.239.224.234/31 ip4:62.239.224.236/31 ip4:62.239.224.98/31 ip4:193.113.108.40/31 ip4:212.140.59.179 ip4:212.140.56.164 ip4:212.49.128.65 ip4:200.47.123.3 ip4:147.149.196.177 ip4:147.149.100.81 ip4:147.149.196.181 ip4:147.149.100.78 ~all
Enforced
DKIM presence
found at 3 selectors
DKIM key found at selectors: s1, selector1, s2.
Partial
MTA-STS (transport)
mode=testing
MTA-STS in testing mode. Failures are reported, not enforced.
How to make it un-spoofable
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.