Spoofability verdict for cam.ac.uk
No - cam.ac.uk is not practically spoofable.
See the math
Cambridge operates one of the strongest email security postures in the education sector: DMARC reject at 100%, SPF hardfail, and working DKIM across multiple selectors. This is how institutional email authentication should look.
- DMARC p=reject at 100%: Every single message claiming to be from cam.ac.uk must pass DMARC authentication or be rejected outright. No gradual rollout, no wiggle room. This is the gold standard.
- SPF with -all (hardfail): Only specified IP ranges (Outlook, Google, Quest on-demand, and Cambridge's own _spf record) can send mail from cam.ac.uk. Any other sender fails immediately.
- DKIM across 3 selectors: We found active DKIM signing keys on selector2, google, and selector1. This means any forged message would need the private key to pass DKIM verification—a cryptographic barrier, not just a policy one.
- MTA-STS missing: MTA-STS would force encrypted connections between mail servers, but its absence doesn't weaken the three signals above. It's a nice-to-have for defence-in-depth, not a critical gap given the rest of the posture.
What this means practically
An attacker cannot practically send mail from cam.ac.uk to recipients who respect DMARC. Attempted spoofs will be rejected by Gmail, Microsoft 365, and any other system using standard DMARC enforcement. Even if an attacker somehow bypassed SPF, they would still need valid DKIM signatures from one of three active selector keys—a cryptographic requirement they cannot meet without access to Cambridge's infrastructure. Receiving mailboxes are protected by hard authentication, not reputation scoring.
Context for Cambridge
Universities often have p=none for legitimate reasons: departments use their own mail providers, alumni databases route through third-party systems, and departmental mailing lists add complexity. Cambridge has chosen not to use that escape hatch. Instead, they've centralised authorised senders (notably through Microsoft and Google) and set a hard reject policy. This is an intentional choice that reflects both strong governance and the scale to implement it.
Bottom line: Cambridge has eliminated the spoofability surface for cam.ac.uk—DMARC reject plus SPF hardfail plus active DKIM means an attacker has no practical path to forged mail delivery.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:_spf.cam.ac.uk include:spf.protection.outlook.com include:_spf.google.com include:spf.uk.odmad.quest-on-demand.com -all
Enforced
DKIM presence
found at 3 selectors
DKIM key found at selectors: google, selector1, selector2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.