Spoofability verdict for kp.org
Yes - kp.org is spoofable today.
See the math
Kaiser Permanente's email posture shows the classic pattern of a large health system mid-migration: some of the technical pieces are in place, but the policy layer is completely open. This is the gap that matters.
- DMARC policy=none (open strictness): No enforcement whatsoever. DMARC tells receiving mail servers to accept or reject based on SPF/DKIM alignment, but with policy=none, servers are told to do nothing—just report. An attacker can send mail that fails these checks, and it will still land in inboxes.
- SPF ~all (softfail, partial strictness): Softfail (~all) means 'I prefer aligned mail, but accept it anyway.' Combined with DMARC p=none, this is a clear signal you're still testing. An attacker using a different IP will be accepted by most receivers.
- DKIM s1, s2 (enforced strictness): Two active signing selectors found. DKIM signs the message cryptographically, and if configured correctly upstream, it can prevent spoofing. This is the one strong piece in this setup.
- MTA-STS missing (open strictness): No MTA-STS policy published. This means an attacker can downgrade connections to unencrypted SMTP or exploit certificate warnings. Large senders should publish this to protect the last-mile handoff.
What this means practically
An attacker today can register a domain lookalike (e.g. 'kp-benefits.org') or compromise a less-monitored subdomain, and send mail claiming to be from kp.org. Because DMARC is p=none and SPF is softfail, Gmail, Outlook, and most corporate mail gateways will accept it. It may be flagged as unsigned or suspicious in some clients, but it will land in inboxes—including inboxes of patients, staff, and benefit administrators. The attacker gains the full weight of Kaiser's trusted brand for phishing or fraud.
Context for Kaiser Permanente
Kaiser Permanente is a large, distributed healthcare organisation with many regional senders, subsidiaries, and third-party vendors. This complexity is why many health systems stay at p=none longer than they should. However, healthcare is a high-value target for phishing—especially for benefit scams, account takeover, and credential harvesting. The risk of staying at p=none is real.
Bottom line: Kaiser has the foundation (DKIM selectors are live), but until DMARC moves from p=none to p=quarantine or p=reject, the domain remains spoofable at scale.
What we measured
Open
DMARC policy
p=none
DMARC at p=none. Receivers are told NOT to act on auth failures; spoofed mail will not be blocked.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com ~allEnforced
DKIM presence
found at 2 selectors
DKIM key found at selectors: s2, s1.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish a DMARC record. Start at p=none with a rua= report destination to gather data, then progress to p=quarantine and p=reject.
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.