Spoofability verdict for expedia.com
No - expedia.com is not practically spoofable.
See the math
Expedia has built a fortress around their email domain. They've deployed the complete toolkit of email authentication at maximum strength, and it's working exactly as intended.
- DMARC p=reject (enforced): DMARC policy is set to reject (not just quarantine) with no softening via pct parameter. Any email claiming to be from expedia.com that fails SPF or DKIM will be dropped outright by receiving mail servers.
- SPF -all hardfail (enforced): SPF includes multiple legitimate sender sources (ServiceNow, Salesforce, Zendesk, Clearslide, SideTrace, and specific IP blocks) and ends with -all, meaning any IP not on the whitelist will fail SPF hard.
- DKIM at 4 selectors: Multiple DKIM signing keys (k1, s1, selector1, s2) found across 22 common selector probes. Attackers would need valid private keys from one of these selectors to forge a signature that passes validation.
- MTA-STS missing: No MTA-STS policy detected. This protects against downgrade and STARTTLS hijacking, so its absence is a small gap—but only if an attacker can intercept the SMTP connection itself, not relevant to domain spoofing.
What this means practically
An attacker cannot practically spoof email from expedia.com. To send mail that would pass Expedia's defences and land in a recipient's inbox, they would need either (a) a valid DKIM private key from one of Expedia's four signing selectors, or (b) an IP address matching one of Expedia's whitelisted ranges in the SPF record. Without either, the email fails both SPF and DKIM, triggering the p=reject policy at the receiving end. Major mailbox providers (Gmail, Outlook, etc.) will reject or heavily throttle these messages.
Bottom line: Expedia has eliminated spoofability for their domain through strict DMARC reject policy, comprehensive SPF whitelisting, and deployed DKIM signing—a textbook example of email authentication done right.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:_spf.expedia.com a:b.spf.service-now.com include:_spf.qemailserver.com include:spf.clearslide.com include:mail.zendesk.com include:_spf.salesforce.com include:_spf.sidetrade.net ip4:212.99.44.68 ip4:212.99.44.69 ip4:83.138.167.180 ip4:195.50.76.198 ip4:83.138.167.180/30 ip4:205.201.128.0/20 ip4:198.2.128.0/18 ip4:148.105.8.0/21 ip4:199.15.213.62 ip4:199.15.213.63 ip4:192.28.150.108 -all
Enforced
DKIM presence
found at 4 selectors
DKIM key found at selectors: k1, s2, selector1, s1.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.