wiredepth
Run a check

Spoofability verdict for fcc.gov

No - fcc.gov is not practically spoofable.

See the math

The FCC has deployed a textbook strong authentication posture that makes spoofing fcc.gov mail effectively impossible in practice.

  • DMARC p=reject (enforced): A reject policy means that any mail claiming to be from fcc.gov but failing DMARC alignment is rejected outright by receiving mail servers. This is the strongest policy available.
  • SPF -all (hardfail): SPF hard-fails mail from unauthorized senders. The FCC has defined a tight whitelist: two specific IP ranges for direct sending, plus authorised relays (Zendesk, Office 365). Anything else is rejected at the SMTP stage.
  • DKIM at 2 selectors (probed 22): DKIM cryptographically signs outbound messages. The FCC maintains at least two signing keys (selectors 'dkim' and 'selector1'), making it costly and impractical for an attacker to forge signatures.
  • MTA-STS missing: MTA-STS enforces encrypted transport between mail servers and prevents downgrade attacks. Its absence is a minor gap, but DMARC p=reject and SPF -all already provide the core protection; MTA-STS would add a layer against active network interception.

What this means practically

An attacker attempting to send mail as fcc.gov will hit a hard wall. SPF will block them at SMTP unless they control one of the whitelisted IP ranges or Zendesk/Office 365 accounts. Even if they somehow clear SPF, DMARC p=reject will cause receiving systems (Gmail, Outlook, etc.) to outright reject the message. DKIM signatures cannot be forged without stealing the FCC's private keys. In practice, spoofing fcc.gov is not a viable attack vector.

Bottom line: The FCC has implemented industrial-strength email authentication—this is what a government domain should look like.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 ip4:192.104.54.97 ip4:192.104.54.91 ip4:192.133.125.38 ip4:192.133.125.39 ip4:192.104.54.93 ip4:149.96.193.2 ip4:149.96.192.2 include:mail.zendesk.com include:spf.protection.outlook.com -all

Enforced

DKIM presence

found at 2 selectors

inspect →

DKIM key found at selectors: dkim, selector1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain