No - gov.uk is not practically spoofable.

• ✓DMARC p=reject (strict alignment): DMARC policy is set to reject, not quarantine. Alignment is strict on both DKIM and SPF (adkim=s, aspf=s), meaning emails must pass authentication checks under the exact domain—no subdomain tricks. Any misalignment is rejected outright.
• ✓SPF -all (hardfail): SPF uses explicit hardfail (-all), meaning only servers listed in the SPF record are authorised to send mail from gov.uk. Any other source fails hard; there is no fallback or softfail escape hatch.
• ✓DKIM at 20+ selectors: GOV.UK maintains at least 20 active DKIM selector pairs (default, s1–s2, k1–k2, fm1–fm3, sib, google, sendgrid, mandrill, protonmail, mxomail, mxvault). This breadth suggests multiple legitimate senders across government services and suppliers, all properly authenticated.
• ·MTA-STS missing: MTA-STS is not deployed. This signals don't affect inbound spoofing risk, only outbound mail security (preventing downgrade attacks on gov.uk's own outbound connections). DMARC + SPF + DKIM already seal the inbound spoofing door.

Bottom line: GOV.UK is a textbook example of responsible email authentication and represents the gold standard most organisations should aim for.