Spoofability verdict for lufthansa.com
No - lufthansa.com is not practically spoofable.
See the math
Lufthansa has implemented the gold standard for email authentication: a hard reject DMARC policy backed by SPF enforcement. This is how large organisations protect their domain from being easily spoofed.
- DMARC p=reject (enforced): Any email claiming to be from lufthansa.com that fails DMARC authentication is rejected outright by receiving mail servers. This is the strongest possible DMARC policy and makes spoofing extremely difficult.
- SPF -all hardfail (enforced): SPF lists all legitimate Lufthansa mail servers (including MX records, direct IPs, and third-party senders like Amazon SES and Amadeus) then denies all others with -all. Any email from an unauthorised server will fail SPF authentication.
- DKIM (no selectors found): We didn't detect DKIM keys on common selector names, though Lufthansa may use custom selectors. DKIM isn't strictly needed given their p=reject DMARC—SPF and DMARC together are sufficient for this threat model.
- MTA-STS (not deployed): MTA-STS enforces encrypted connections to mail servers and prevents downgrade attacks. It's a nice-to-have for organisations already running p=reject, but not essential for spoofing prevention.
What this means practically
An attacker cannot practically send mail that will arrive in users' inboxes claiming to be from lufthansa.com. If they try, Gmail, Outlook, and other major providers will reject the message at SMTP time because it fails both SPF and DMARC. This applies whether the attacker spoofs the header, uses a lookalike domain, or compromises an external sender—Lufthansa's SPF list is comprehensive and denies everything else.
Bottom line: Lufthansa has eliminated the spoofability risk for their domain; this is what a mature, well-defended organisation looks like.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 mx ip4:129.35.195.69 ip4:129.35.195.68 ip4:129.35.195.132 ip4:129.35.195.133 ip4:84.17.165.165 ip4:84.17.165.167 ip4:194.31.6.64/28 ip4:52.157.235.82 ip4:80.72.142.246 ip4:80.77.215.176/28 ip4:84.17.184.240/28 ip4:84.17.190.192/26 include:spf.ecentry.io include:amazonses.com include:_relay.amadeus.com include:_spf.lufthansa.com -all
Open
DKIM presence
no key found at common selectors
No DKIM key found at any of the 22 common selectors. (Your domain may publish a DKIM key at a less-common selector - this is a heuristic, not exhaustive.)
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Confirm DKIM is configured. We didn't find a key at the common selectors; if you do publish DKIM, the selector you use isn't in our probe list - that's fine, but worth verifying with your mail provider.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.