Spoofability verdict for capitalone.com
No - capitalone.com is not practically spoofable.
See the math
Capital One has built a genuinely strong email authentication posture. The combination of strict DMARC rejection and multiple published DKIM selectors makes spoofing their domain impractical for most attackers.
- DMARC policy=reject (enforced): Capital One enforces DMARC reject, meaning any email failing DMARC authentication is rejected by receiving mail servers. This is the strongest possible DMARC policy and blocks spoofed mail at the receiver.
- SPF softfail with multiple IP blocks (partial): Capital One publishes SPF with ~all (softfail), not hardfail. This allows some mail to pass even if SPF fails, but the extensive IP whitelist and multiple includes (gspf, spf1, spf2, mir, sf domains) makes it hard to fake legitimate sending infrastructure.
- DKIM at 3 selectors (k1, s1, s2): Three active DKIM selectors mean Capital One signs mail across multiple key rotations. An attacker would need to compromise a selector to forge valid signatures.
- MTA-STS missing: MTA-STS enforces encrypted SMTP delivery and pins the certificate chain, preventing man-in-the-middle attacks in transit. Capital One does not publish this, leaving a small gap in transport protection.
What this means practically
An attacker cannot realistically spoof Capital One mail to a DMARC-aware receiver (Gmail, Outlook, most enterprises). The combination of DMARC reject and active DKIM signing makes forgery both difficult and visible. Even recipients with lenient DMARC interpretation will see DKIM failure. The only practical attack vectors are recipients using very old mail systems that ignore DMARC/DKIM, or social engineering that bypasses authentication entirely. MTA-STS absence means an active network attacker could theoretically intercept and redirect mail in transit, but this is a much smaller threat than domain spoofing.
Bottom line: Capital One's email authentication is well-executed; spoofing capitalone.com is impractical against modern mail receivers.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 ip4:148.163.151.254 ip4:148.163.155.198 ip4:148.163.137.70 ip4:148.163.133.70 ip4:205.220.175.235 ip4:205.220.163.236 ip4:27.126.144.0/21 ip4:64.106.247.198 ip4:66.70.7.91 ip4:68.233.76.14 ip4:97.107.118.192/26 ip4:63.150.74.35 include:gspf.capitalone.com include:gspf2.capitalone.com include:spf1.capitalone.com include:spf2.capitalone.com include:mir.capitalone.com include:sf.capitalone.com include:sf2.capitalone.com ~all
Enforced
DKIM presence
found at 3 selectors
DKIM key found at selectors: k1, s1, s2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.