wiredepth
Run a check

Spoofability verdict for cisa.gov

No - cisa.gov is not practically spoofable.

See the math

CISA has built a fortress around its email domain. The agency combines strict DMARC enforcement at 100% coverage with SPF hard-fail rules and working DKIM signing—the standard triple-lock that makes spoofing practically impossible.

  • DMARC policy=reject at 100%: Any email claiming to be from cisa.gov that fails DMARC authentication is rejected outright, with no exceptions. This is the strongest posture possible and applies to every message.
  • SPF -all (hardfail): Only mail servers authorized under DHS (spf.dhs.gov), Microsoft (outlook.com), and a specific vendor (gpphosted.com) are allowed to send on cisa.gov's behalf. Everything else fails hard and is rejected by most receivers.
  • DKIM signing deployed: At least one working DKIM selector (selector1) is in place, meaning legitimate mail is cryptographically signed. An attacker cannot forge this signature without the private key.
  • MTA-STS not deployed: MTA-STS would add encryption between mail servers in transit, but its absence doesn't materially weaken the spoofability posture given DMARC and SPF are already locked down.

What this means practically

An attacker cannot send mail that will be accepted as legitimately from cisa.gov at any major email provider. Gmail, Outlook, and other receivers will reject any unauthenticated attempt before it reaches a user's inbox. The combination of hard-fail SPF and reject-mode DMARC leaves no room for forgery. Even if an attacker somehow bypassed SPF, DKIM signing validates the message's authenticity at the cryptographic level.

Context for CISA

CISA is the US Cybersecurity and Infrastructure Security Agency—a federal critical infrastructure organization. This posture reflects appropriate security for a government entity responsible for national security guidance. The strict email authentication stance aligns with CISA's own recommendations to organizations.

Bottom line: CISA's email authentication is textbook best practice; spoofing cisa.gov addresses is not a realistic attack vector.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:spf.dhs.gov include:spf.protection.outlook.com include:spf-00376703.gpphosted.com -all

Enforced

DKIM presence

found at 1 selector

inspect →

DKIM key found at selector: selector1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain