Spoofability verdict for fbi.gov
No - fbi.gov is not practically spoofable.
See the math
The FBI's email infrastructure is a textbook example of how to lock down a critical domain. They've deployed the strongest possible anti-spoofing posture: a hard-reject DMARC policy with full enforcement, a strict SPF hardfail, and no daylight for attackers to slip through.
- DMARC policy=reject at 100%: Messages that fail authentication are rejected outright at all receivers, not quarantined. No wiggle room. This is the maximum protection DMARC offers.
- SPF hardfail (-all): SPF is configured with a hard fail: any IP not in the whitelist (FBI's MX servers and 153.31.0.0/16 netblock) will be rejected by compliant receivers. This closes off a common spoofing vector.
- DKIM: no selectors found: While we didn't find published DKIM keys in our scan, this doesn't weaken their posture—DMARC reject + SPF hardfail already stops spoofing without DKIM. DKIM would add redundancy but isn't necessary here.
- MTA-STS: not deployed: MTA-STS enforces encrypted connections to their mail servers. Its absence is a minor gap (doesn't prevent spoofing, but reduces man-in-the-middle risk on the return path). Given their DMARC/SPF posture, this is low priority.
What this means practically
An attacker cannot practically spoof fbi.gov email. Any spoofed message will fail SPF authentication (wrong sender IP), fail DMARC authentication (missing valid SPF/DKIM alignment), and be rejected by mail servers that respect both standards. Gmail, Microsoft 365, and most enterprise systems will dump spoofed FBI mail before it reaches a user. The only residual risk is a receiver that ignores DMARC and SPF entirely—increasingly rare among major platforms.
Bottom line: The FBI has implemented the gold standard for email authentication; fbi.gov is not spoofable in any realistic attack scenario.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 +mx ip4:153.31.0.0/16 -all
Open
DKIM presence
no key found at common selectors
No DKIM key found at any of the 22 common selectors. (Your domain may publish a DKIM key at a less-common selector - this is a heuristic, not exhaustive.)
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Confirm DKIM is configured. We didn't find a key at the common selectors; if you do publish DKIM, the selector you use isn't in our probe list - that's fine, but worth verifying with your mail provider.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.