Spoofability verdict for comcast.com
No - comcast.com is not practically spoofable.
See the math
Comcast deploys textbook email authentication at scale: strict DMARC rejection with proper SPF and DKIM. This is how a major telecom operator should look.
- DMARC policy=reject (enforced): DMARC policy is set to reject, meaning receivers will reject mail that fails DMARC alignment checks. No percentage qualifier means 100% of failing mail is rejected, not sampled or monitored. This is the strongest posture.
- SPF softfail (~all) with 14 authorized IPs and includes: SPF authorizes a large, explicit list of Comcast infrastructure (148.163.x, 162.150.x, 96.114.x, 68.87.x, 67.231.x) plus external services like Zapproved and ZenDesk. The ~all (softfail) qualifier is less strict than -all (hardfail), but paired with DMARC=reject, unauthenticated mail will still be rejected.
- DKIM at 4 active selectors (k1, k2, s1, s2): Four working DKIM selectors indicate mature key rotation and signing infrastructure. Messages signed with these keys cannot be forged without access to Comcast's private keys.
- MTA-STS missing: MTA-STS enforces encrypted TLS delivery between mail servers and prevents downgrade attacks. Its absence is a minor gap, but does not weaken spoofability protection—DMARC rejection handles the primary threat.
What this means practically
An attacker cannot realistically send mail from comcast.com to any modern receiver. Messages without valid DKIM signatures from one of the four known selectors will fail SPF alignment (the explicit IP list is tight and won't match arbitrary attacker infrastructure). DMARC will then reject them at the receiver. Gmail, Microsoft, Yahoo, and enterprise mail systems all honor DMARC=reject and will hard-fail spoofed mail. A second-order risk is phishing via subdomain (comcast-mail.com, support.comcast.com registered by attackers), but that is a separate threat model outside of comcast.com spoofability.
Bottom line: Comcast.com is effectively unspoofable for attackers without compromised signing keys; any organization shipping email at this scale should match this standard.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 ip4:148.163.145.77 ip4:148.163.141.77 ip4:162.150.44.71 ip4:96.114.158.212 ip4:68.87.31.167 ip4:68.87.96.15 ip4:96.114.28.75 ip4:96.114.28.76 ip4:67.231.157.49 ip4:67.231.149.53 ip4:192.28.144.202 include:spfext.zapproved.com include:_spf.mdp.comcast.net include:_spf.comcast.com include:spf-00143705.pphosted.com ~all
Enforced
DKIM presence
found at 4 selectors
DKIM key found at selectors: k2, k1, s1, s2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.