Spoofability verdict for cvs.com
Maybe - cvs.com is partially protected.
See the math
CVS Health has deployed a strong DMARC reject policy, but the rest of the authentication layer is either missing or weakly configured—creating a situation where technical protection exists on paper but real-world spoofing risk remains moderate.
- DMARC p=reject (enforced): CVS has set DMARC to reject unauthenticated mail claiming to be from cvs.com. This is the gold standard and tells receivers to drop non-compliant messages. However, this only works if the other signals (SPF and DKIM) are robust enough to pass in the first place.
- SPF softfail (~all): SPF is configured to softfail (~all), not hardfail (-all). This tells receivers to accept mail that fails SPF checks—just with reduced trust. Combined with SPF relying on Agari-managed includes, this weakens the reject policy's practical effect.
- DKIM—no selectors found: After probing 22 common DKIM selector patterns, we found none. This means we cannot independently verify that CVS is signing outbound mail with DKIM. Receivers may still validate DKIM if CVS signs with a non-standard selector name, but this is a warning sign of incomplete deployment.
- MTA-STS missing: MTA-STS enforces TLS when other mail servers send to cvs.com. Its absence means attackers who intercept the SMTP connection during delivery can still inject mail, even if initial authentication checks would otherwise block it.
What this means practically
An attacker can create a spoofed email claiming to be from cvs.com. If they route it through a mail server that passes Agari's SPF checks (or if they exploit the softfail), receivers like Gmail and Outlook will accept it despite the reject policy, because SPF validation will succeed or be treated as non-critical. The absence of DKIM means no second layer of cryptographic verification exists. MTA-STS missing means that man-in-the-middle attacks on the SMTP connection itself are possible. In practice, this email will likely arrive in inboxes, especially at organizations with lenient filtering policies.
Context for CVS Health
Healthcare organizations are frequent targets for phishing and business email compromise. CVS Health's posture is weaker than it appears at first glance; a stronger configuration would include: hardfail SPF (-all), at least one active DKIM selector, and MTA-STS in enforce mode.
Bottom line: CVS Health has the right top-level policy (DMARC reject) but has not finished the implementation—missing DKIM and MTA-STS, combined with a softfail SPF, leave substantial room for attackers to impersonate cvs.com in the wild.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 include:%{d}.4e.spf-protect.agari.com exists:%{i}._i.%{d}._d.espf.agari.com ~allOpen
DKIM presence
no key found at common selectors
No DKIM key found at any of the 22 common selectors. (Your domain may publish a DKIM key at a less-common selector - this is a heuristic, not exhaustive.)
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Confirm DKIM is configured. We didn't find a key at the common selectors; if you do publish DKIM, the selector you use isn't in our probe list - that's fine, but worth verifying with your mail provider.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.