No - dhs.gov is not practically spoofable.

• ✓DMARC p=reject at 100%: Any email claiming to be from dhs.gov that fails DMARC authentication is rejected outright by receiving mail servers. DHS has set pct=100, meaning every message is evaluated against this strict standard. This is the gold standard for email authentication.
• ✓SPF -all (hardfail): SPF is configured with a strict hardfail mechanism (-all), meaning only servers explicitly listed (including DHS IPs and Outlook/protection domains) can send valid mail. Any unlisted source will fail SPF checks immediately.
• ✓DKIM single selector found: DHS maintains DKIM signing on selector1. A single, actively monitored selector is simpler to manage and audit than sprawling selector infrastructure, and it's cryptographically binding each message to DHS's keys.
• ·MTA-STS not published: MTA-STS enforces encrypted SMTP transit (TLS) between mail servers. DHS doesn't publish this policy, but the DMARC and SPF enforcement already prevents most spoofing before that becomes relevant. Not critical given the strong authentication posture upstream.

Bottom line: DHS.gov is effectively unspoofable—enforced DMARC reject with strict SPF and DKIM forms a complete authentication barrier that leaves no room for an attacker to impersonate the domain.