wiredepth
Run a check

Spoofability verdict for fidelity.com

No - fidelity.com is not practically spoofable.

See the math

Fidelity has deployed the gold standard for email authentication: a strict DMARC reject policy at 100% enforcement, backed by hardfail SPF and multiple DKIM selectors. This is financial-sector email security done right.

  • DMARC policy=reject at pct=100: 100% of unauthenticated mail claiming to be from fidelity.com is rejected outright by any receiver that respects DMARC. This is the strongest policy available.
  • SPF hardfail (-all): SPF is configured to explicitly reject any sending IP not in the two fidelity-owned include blocks. Any spoofed mail from an attacker's server will fail SPF immediately.
  • DKIM with selector1 and selector2: Multiple DKIM signing keys indicate sophisticated rotation and key management. An attacker cannot forge signatures without the private key.
  • MTA-STS: mode=missing: MTA-STS prevents downgrade attacks on the TLS connection between mail servers. Fidelity hasn't deployed it, but the lack doesn't weaken the DMARC/SPF/DKIM trio.

What this means practically

An attacker cannot practically spoof fidelity.com email. They cannot forge the DKIM signatures, cannot route mail from an unauthorized IP that passes SPF, and cannot submit mail to any modern receiver without both signatures failing hard checks. Gmail, Microsoft 365, and enterprise systems will reject or heavily quarantine any spoofed attempt. The only remaining attack surface is pre-authentication social engineering (phishing links in legitimate-looking mail) or account compromise at Fidelity itself.

Bottom line: Fidelity's email infrastructure is locked down to industry best practice; spoofing the domain is not a viable attack vector.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:_fidelitynets.fmr.com include:_fidelitypartners-a.fidelity.com -all

Enforced

DKIM presence

found at 2 selectors

inspect →

DKIM key found at selectors: selector1, selector2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain