Spoofability verdict for hp.com
No - hp.com is not practically spoofable.
See the math
HP has built a fortress around hp.com with a hard DMARC reject policy at 100% enforcement—the gold standard for email authentication. This is how a major tech company should defend its domain.
- DMARC p=reject at 100%: Any email claiming to be from hp.com that fails DMARC authentication will be rejected outright by receiving mail servers. The 100% enforcement percentage means no exceptions—this applies to every single outbound message.
- SPF with ~all (softfail): HP's SPF record includes multiple legitimate senders (Salesforce, Mimecast, Outlook, Mandrill) and hardcoded IPs, which is correct for a distributed organisation. The ~all (softfail) qualifier is technically permissive, but the DMARC reject policy overrides it—softfail becomes irrelevant when DMARC rejects non-aligned mail.
- DKIM at 5 active selectors: HP publishes keys across multiple selectors (google, s1, mandrill, k1, s2), which is typical for organisations with diverse sending infrastructure. DKIM signatures tied to these selectors will pass alignment checks required by DMARC.
- MTA-STS missing: HP does not publish MTA-STS (a policy that forces TLS for inbound mail). This is a missed hardening step but not critical—it protects against downgrade attacks on inbound delivery, which is less common than spoofing outbound mail.
What this means practically
An attacker cannot practically spoof hp.com. Forged emails will fail DMARC alignment and be rejected by any receiving mail server that enforces DMARC policy (Gmail, Microsoft 365, most enterprise systems, and increasingly smaller ISPs). There is no practical workaround: the softfail SPF doesn't lower the bar because DMARC reject takes precedence. Even a compromised third-party sender (like a vendor using Salesforce) must sign with a valid DKIM key or fail DMARC checks.
Bottom line: HP.com is properly defended: p=reject at 100% with aligned DKIM is the right configuration for a brand that needs to prevent impersonation.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 mx include:_spf.hp.com include:_spf.salesforce.com include:us._netblocks.mimecast.com include:spf.protection.outlook.com include:standardregisterSPF.smtp.com ip4:205.219.85.237 ip4:74.209.251.23 ip4:198.245.88.159 ip4:198.245.88.160 ip4:198.245.88.161 ip4:198.245.88.162 ~all
Enforced
DKIM presence
found at 5 selectors
DKIM key found at selectors: k1, google, s2, mandrill, s1.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.