wiredepth
Run a check

Spoofability verdict for forbes.com

No - forbes.com is not practically spoofable.

See the math

Forbes has put in the work: DMARC reject at 100% coverage means they're enforcing authentication across all their mail. This is the posture that makes spoofing genuinely difficult.

  • DMARC policy=reject at pct=100: Enforces authentication on every message. Any mail claiming to be from forbes.com that fails SPF or DKIM gets rejected by receivers. No wiggle room; no fallback to spam folder warnings.
  • SPF redirect to MIMEcast (partial strictness): SPF delegates authentication to MIMEcast's infrastructure. This works, but doesn't explicitly forbid unauthorized senders (uses redirect instead of -all). Still, combined with DMARC reject it blocks most attacks.
  • DKIM across 6 active selectors: Multiple key rotation points (k1, google, mandrill, s1, s2, selector2) indicate mature key management. Harder for attackers to forge signatures when keys rotate regularly and are distributed.
  • MTA-STS missing: No protection against man-in-the-middle attacks on the SMTP connection itself. An attacker who compromises the network path can still intercept and relay mail. This is the only real chink in Forbes' armor.

What this means practically

In practice, an attacker cannot realistically send mail that receivers will trust as coming from forbes.com. Gmail, Outlook, and other major providers will reject or quarantine anything that fails Forbes' DMARC reject policy. The attacker would need to either compromise Forbes' infrastructure, forge a valid DKIM signature (extremely hard with key rotation), or exploit the missing MTA-STS—but that only works on network-layer attacks, not bulk phishing campaigns. Most spoofing attempts simply fail.

Bottom line: Forbes has locked down their domain with enforced DMARC + DKIM rotation; the missing MTA-STS is a gap but not a practical weakness for email spoofing.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

?all (neutral)

inspect →

SPF record present but has no terminal mechanism. Behaviour at receivers is unspecified.

v=spf1 redirect=b45gkw7f._spf._d.mim.ec

Enforced

DKIM presence

found at 6 selectors

inspect →

DKIM key found at selectors: google, k1, mandrill, s2, selector2, s1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain