Spoofability verdict for macys.com
No - macys.com is not practically spoofable.
See the math
Macy's has implemented strong DMARC and DKIM protections that make spoofing emails from their domain practically difficult. The domain is a straightforward case of well-configured fundamentals that work.
- DMARC p=reject: DMARC is set to reject unauthenticated mail, with no alignment flexibility. This is the strongest policy and stops most spoofed mail at recipient servers before it reaches inboxes.
- SPF with ~all (softfail): SPF includes multiple legitimate sending IP ranges and third-party mailers (Outlook, Mailgun, Greenhouse), but ends with softfail instead of hardfail. Combined with p=reject DMARC, this still protects well, but softfail alone would be weaker.
- DKIM at 3 selectors (k2, s2, s1): Multiple active DKIM signing keys reduce the window of opportunity for key reuse attacks and show continuous rotation practice. All signed mail can be cryptographically verified.
- MTA-STS missing: No MTA-STS policy means the final mile between mail servers isn't encrypted or authenticated. However, this doesn't affect spoofing resistance; it's a separate transport security concern.
What this means practically
An attacker cannot realistically spoof a Macy's email and have it delivered to most inbox filters. Gmail, Microsoft 365, and other major providers will reject or heavily penalise unsigned mail or mail with failed SPF/DKIM checks. The attacker would need either the private DKIM key (cryptographically infeasible), control of one of Macy's authorised sending IPs (requires network access), or a misconfiguration in Macy's domain records—none of which are realistic given the current setup.
Bottom line: Macy's has crossed the line from spoofable to protected: p=reject DMARC with enforced DKIM signatures and multiple valid SPF ranges make this domain a hard target for email forgery.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 mx ip4:208.15.91.0/24 ip4:208.15.90.0/24 ip4:204.214.48.37 ip4:69.25.227.128/25 ip4:74.217.49.0/25 include:spf-0009cc01.pphosted.com include:mg-spf.greenhouse.io include:spf-a.rnmk.com include:spf.protection.outlook.com include:mailgun.org ~all
Enforced
DKIM presence
found at 3 selectors
DKIM key found at selectors: s2, s1, k2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.