No - ft.com is not practically spoofable.

• ✓DMARC p=reject at 100%: Any email claiming to be from ft.com that fails DMARC authentication is rejected outright by all receiving mail servers. This is the strongest possible policy and applied to all traffic, not a percentage sample.
• ✓SPF -all (hardfail): SPF hardfail means only mail servers explicitly authorised via the include directives (Google, Marketo, Salesforce, HubSpot, Mandrill, and others) can send from ft.com. Everything else is rejected. No gradation—this is a clean boundary.
• ✓DKIM at 4 active selectors: DKIM signing at multiple selector points (google, s1, mandrill, s2) across your sending infrastructure means legitimate mail is cryptographically signed and verifiable. Found after probing 22 common selectors, indicating mature operational coverage.
• ·MTA-STS missing: MTA-STS enforces TLS in transit and prevents downgrade attacks on the SMTP connection itself. It's not deployed, but DMARC + SPF hardfail already prevent the attacker from sending mail that will be accepted, so the practical risk is low.

Bottom line: Financial Times has eliminated spoofing as a viable attack: p=reject + SPF hardfail + DKIM coverage is the defence that actually works, and it's deployed here at full strength.