wiredepth
Run a check

Spoofability verdict for hyatt.com

No - hyatt.com is not practically spoofable.

See the math

Hyatt has built a straightforward, high-confidence email authentication setup that blocks nearly all impersonation attempts at the email gateway. The three core signals align tightly: reject-mode DMARC, SPF hardfail, and a healthy DKIM infrastructure.

  • DMARC policy=reject (100% enforcement): Any email claiming to be from hyatt.com that fails DMARC alignment is rejected outright by compliant receivers. No fallback to spam folder; no ambiguity. This is the strongest possible policy.
  • SPF hardfail (-all): SPF uses a hard fail rule, meaning any mail server not explicitly listed in Hyatt's include (their PPhosted provider) is rejected by SPF validation. This blocks wide categories of spoofed mail at the network level.
  • DKIM with 5 active selectors: Multiple selectors (k1, k2, s1, s2, mail) provide cryptographic proof that mail genuinely came from Hyatt's infrastructure. Attackers cannot forge these signatures without Hyatt's private keys.
  • MTA-STS missing: MTA-STS enforces encrypted connections between mail servers and prevents downgrade attacks. Hyatt doesn't publish an MTA-STS policy, but this is a secondary control; DMARC+SPF+DKIM are already very strong.

What this means practically

An attacker trying to send mail that appears to come from hyatt.com will face rejection by any modern mail server implementing DMARC, SPF, or both—which includes Gmail, Outlook, and enterprise email systems. Mail that reaches a recipient's inbox will either be genuinely from Hyatt or from a legitimately authorised sender whose infrastructure has been explicitly whitelisted. The only practical workaround for an attacker would be to compromise Hyatt's own mail infrastructure or their PPhosted provider, which is a far higher bar than simply guessing an email address and sending a spoofed message.

Bottom line: Hyatt's email authentication is belt-and-suspenders: DMARC reject + SPF hardfail + multi-selector DKIM makes spoofing hyatt.com mail practically infeasible for a remote attacker.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com -all

Enforced

DKIM presence

found at 5 selectors

inspect →

DKIM key found at selectors: k2, k1, s1, mail, s2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain