Spoofability verdict for cnn.com
No - cnn.com is not practically spoofable.
See the math
CNN has built a genuinely protective email infrastructure around cnn.com. Their DMARC policy is set to reject, DKIM keys are present across multiple selectors, and SPF includes legitimate forwarding partners—this is a domain where the fundamentals work in concert.
- DMARC policy=reject (enforced): Any email claiming to be from cnn.com that fails DMARC authentication will be rejected by receiving mail servers. This is the hardest DMARC stance and prevents spoofing at the protocol level.
- SPF ~all (softfail): SPF lists legitimate senders including Zendesk, but ends with softfail (~all) rather than hardfail (-all). Softfail is permissive—receivers can accept mail that fails SPF checks. However, SPF alone doesn't stop spoofing; DMARC rejection handles that.
- DKIM at 5 selectors (k2, k1, s2, s1, selector1): DKIM signatures are cryptographically verified. Multiple selectors found suggest key rotation practice. An attacker cannot forge a valid DKIM signature without stealing the private key.
- MTA-STS missing: MTA-STS enforces encrypted transport between mail servers. CNN is not using it, so mail between servers could theoretically be intercepted in transit—but this doesn't enable direct impersonation of cnn.com itself.
What this means practically
An attacker cannot send a mail that passes DMARC authentication as cnn.com—it will be rejected. They could send an email that appears to be from cnn.com in the display name (a visual spoof), but legitimate mail servers will reject it. Phishing emails claiming to be from CNN are possible, but they will not arrive at corporate or well-configured consumer inboxes (Gmail, Outlook) as authenticated CNN mail. The attacker's only workaround is compromising a legitimate CNN sending system or using a lookalike domain.
Bottom line: CNN's DMARC reject policy + DKIM coverage makes cnn.com one of the harder domains to spoof; phishing emails claiming to be from CNN will fail authentication and be rejected by major receivers.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 include:cnn.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:mail.zendesk.com ~allEnforced
DKIM presence
found at 5 selectors
DKIM key found at selectors: k2, k1, selector1, s1, s2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.