Spoofability verdict for hsbc.com
No - hsbc.com is not practically spoofable.
See the math
HSBC has built a tight email authentication posture with reject-mode DMARC, leaving little room for attackers to impersonate the bank's official domain. This is the gold standard for financial institutions and matches what you'd expect from a global lender serious about protecting its brand.
- DMARC policy=reject (fully enforced): HSBC's DMARC policy rejects messages that fail SPF or DKIM alignment, with no exceptions (pct=100 implicit). Any email claiming to be from hsbc.com that doesn't pass authentication is blocked by strict receivers—Gmail, Outlook, Yahoo. This is the strongest DMARC stance and makes spoofing hostile territory.
- SPF softfail (~all, partial strictness): SPF uses ~all (softfail) rather than -all (hardfail), meaning unauthorized senders get a warning rather than outright rejection—but in practice this is secondary because DMARC's reject policy overrides permissive SPF. SPF lists six separate authorization mechanisms, indicating HSBC mail routes through multiple third-party systems.
- DKIM found (google selector, enforced): HSBC signs outbound mail with DKIM; the 'google' selector was detected, suggesting third-party mail handling. DKIM signatures are cryptographically verified and cannot be forged without the private key, making them attack-resistant by design.
- MTA-STS missing: MTA-STS forces secure SMTP in transit and prevents downgrade attacks. HSBC hasn't deployed it, but this is a minor gap because DMARC policy=reject already provides strong protection at the receiver end.
What this means practically
An attacker attempting to send mail from hsbc.com will find that Gmail, Outlook, Yahoo, and other major mailbox providers reject or heavily scrutinize the message on arrival—unless the attacker can forge BOTH SPF and DKIM signatures, which requires either compromising HSBC's infrastructure or performing a sophisticated DNS interception attack. In practice, such attacks target HSBC customers via lookalike domains (hsbc-update.com, hsbc-confirm.com) instead, because impersonating hsbc.com directly is an uphill battle.
Context for HSBC
Financial institutions like HSBC face high spoofing pressure because email impersonation is a vector for credential theft and fraud. HSBC's reject-mode posture is appropriate and expected; anything weaker would be a red flag for a bank of this scale.
Bottom line: HSBC has implemented the strongest practical email authentication standard for a financial institution—reject-mode DMARC with DKIM signing—making direct domain spoofing impractical against modern mailbox providers.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com include:spf-00299f02.pphosted.com include:spf1.hsbc.com include:spf2.hsbc.com include:spf3.hsbc.com include:spf-002f0603.pphosted.com ~allEnforced
DKIM presence
found at 1 selector
DKIM key found at selector: google.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.