wiredepth
Run a check

Spoofability verdict for ftc.gov

No - ftc.gov is not practically spoofable.

See the math

The FTC has implemented email authentication at a gold standard: both DMARC with hard-reject policy and SPF with hardfail, properly configured and enforced at 100%. This combination makes spoofing ftc.gov mail practically infeasible.

  • DMARC policy=reject; pct=100: Full enforcement means any mail failing DMARC alignment is rejected outright by receiving systems. No wiggle room, no quarantine mode—a non-passing message from ftc.gov does not land.
  • SPF -all (hardfail): Hardfail rejects any mail from IPs not explicitly listed (via mx and two FTC-controlled include: directives). Combined with DMARC, this prevents IP-spoofing attacks at the SMTP boundary.
  • DKIM selector1 found: At least one active DKIM signing key is in use. Mail signed with this key will cryptographically prove FTC origin; unsigned mail from spoofed addresses fails DKIM alignment checks.
  • MTA-STS mode=missing: MTA-STS is not deployed. This doesn't weaken spoofability defences but does leave the transport layer (SMTP) vulnerable to downgrade attacks—a concern orthogonal to sender spoofing.

What this means practically

An attacker cannot send mail claiming to be from ftc.gov and have it delivered to a modern inbox. Gmail, Microsoft 365, and other receivers reject non-aligned messages automatically. Even legacy systems applying basic SPF checks will drop these messages at the SMTP gate. The only residual risk is social engineering (using a lookalike domain like ftc-gov.com), not actual spoofing of ftc.gov itself.

Bottom line: The FTC's email security posture is exemplary; ftc.gov is not practically spoofable, and this configuration should be a model for other federal agencies.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 mx include:spf1.ftc.gov include:spf2.ftc.gov -all

Enforced

DKIM presence

found at 1 selector

inspect →

DKIM key found at selector: selector1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain