No - citi.com is not practically spoofable.

• ✓DMARC policy=reject (enforced): Citi enforces DMARC with an explicit reject policy—any mail claiming to be from citi.com that fails DMARC authentication will be rejected by compliant receivers. This is the gold standard for high-value brands.
• ✓SPF with 5 A-records + includes (partial strictness): SPF chain includes legitimate sending infrastructure across citigroup.com, lwo.locaweb.com.br, and pphosted.com. The use of a redirect mechanism and multiple A-record lookups shows deliberate infrastructure design, though SPF's neutral qualifier (vs. explicit -all) means some edge cases aren't hardened.
• ✓DKIM at s2, s1 selectors (enforced): DKIM signatures enforce identity cryptographically—we found active keys at two common selectors. This means each legitimate email from Citi carries a digitally signed proof of origin that forgers cannot replicate.
• ·MTA-STS missing: MTA-STS is absent, meaning sending MTAs can't enforce encrypted delivery to Citi's mail servers. This is a known gap in email security, but doesn't weaken authentication itself—it only affects in-transit security.

Bottom line: Citi has implemented email authentication correctly; spoofing citi.com is not a practical attack vector.