Spoofability verdict for cigna.com
Maybe - cigna.com is partially protected.
See the math
Cigna has built a solid foundation with DMARC quarantine and strict SPF, but left a critical door open by skipping MTA-STS encryption enforcement—a surprising gap for a healthcare organisation handling sensitive data.
- DMARC policy=quarantine: Quarantine is the enforcement middle ground: unauthenticated mail gets isolated rather than rejected, reducing false positives while still blocking most spoofed messages. This is the right choice for large organisations with complex mail flows.
- SPF hardfail (-all): Cigna rejects any mail claiming to come from cigna.com unless it originates from their authorised IP ranges (defined via includes to _spf.cigna.com, cignamail, and evernorth). This is enforced and credible.
- DKIM at 2 selectors (s1, s2): DKIM signing keys found on both selectors indicates active use. Signatures cryptographically prove mail came from Cigna's infrastructure, even if routing is complex.
- MTA-STS: missing: MTA-STS would force other mail servers to encrypt connections to Cigna's mail servers and validate TLS certificates. Without it, attackers can downgrade to unencrypted SMTP or present invalid certs, intercepting mail in transit.
What this means practically
An attacker can't easily send mail that appears to come from cigna.com to external recipients—SPF and DKIM block that. However, they *can* intercept mail destined for Cigna users by positioning themselves between the sending mail server and cigna.com, forcing an unencrypted connection (because MTA-STS is not deployed). This is particularly concerning in healthcare, where intercepted mail might contain patient records, appointment details, or insurance claims. Major providers like Gmail and Outlook will still deliver the intercepted mail if the attacker can produce valid downstream authentication.
Context for Cigna
Healthcare organisations are frequent targets for credential theft and mail interception. Cigna's omission of MTA-STS is unusual given the sensitivity of insurance and medical correspondence—this is a straightforward fix that would significantly raise the cost of a man-in-the-middle attack.
Bottom line: Cigna stops outbound spoofing effectively, but leaves inbound mail vulnerable to interception; adding MTA-STS would close that gap.
What we measured
Partial
DMARC policy
p=quarantine
DMARC at p=quarantine. Spoofed mail goes to spam but is not rejected.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:_spf.cigna.com include:cignamail.verintefm.com exists:%{i}.spf.evernorth.com -allEnforced
DKIM presence
found at 2 selectors
DKIM key found at selectors: s2, s1.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Move DMARC to p=reject pct=100 once your rua reports show no legitimate-sender failures.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.