Spoofability verdict for marriott.com
No - marriott.com is not practically spoofable.
See the math
Marriott has assembled a textbook-strong email authentication posture: DMARC reject at 100%, enforced SPF hardfail, and multiple active DKIM selectors. This is how a large travel brand should protect its identity.
- DMARC policy=reject at 100%: Reject policy applied to all mail (100%) means receivers will discard any message claiming to be from marriott.com that fails DMARC checks. This is the strongest available posture and leaves no room for spoofed mail to slip through even with generous handling.
- SPF hardfail (-all): SPF rule ends with -all (explicit hardfail), meaning any mail server not explicitly listed in the SPF record will fail authentication. Marriott has also enumerated a substantial whitelist including internal IPs, Outlook, Zendesk, ServiceNow, and third-party payment providers, covering their legitimate outbound channels.
- DKIM at 5 selectors: Multiple selector keys (k2, selector2, s1, s2, selector1) found across the domain allow Marriott to rotate signing keys and maintain continuous authentication coverage across different sending systems and campaigns.
- MTA-STS missing: MTA-STS would enforce encrypted SMTP delivery to prevent on-path interception of inbound mail. Its absence is a minor gap for a brand of this scale, but the strong DMARC and SPF already block domain spoofing; MTA-STS mainly adds transport security.
What this means practically
An attacker cannot realistically spoof marriott.com. Mail servers following the DMARC reject policy will refuse delivery unless the forged message passes both SPF and DKIM—both of which require access to Marriott's infrastructure or private signing keys. In practice, phishing campaigns impersonating Marriott would fail at the receiver, and Gmail, Outlook, and corporate systems would drop or quarantine any unsigned impostor mail. The only viable attack vector is compromising Marriott's own infrastructure or a whitelisted third party, which is a different threat model entirely.
Bottom line: Marriott has closed the spoofability door: reject-enforced DMARC, hardened SPF, and active DKIM keys make domain impersonation impractical.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:spf.marriott.com include:spf.givex.com include:mail.zendesk.com a:c.spf.service-now.com include:spf.protection.outlook.com ip4:65.221.12.128 ip4:65.221.12.148 ip4:70.42.227.151 ip4:70.42.227.152 ip4:68.233.76.14 ip4:68.233.76.20 ip4:68.233.76.41 ip4:216.34.69.5 ip4:34.194.251.20 ip4:41.138.70.80/29 ip4:52.86.138.215 ip4:23.251.231.176/28 ip4:23.251.231.192/28 -all
Enforced
DKIM presence
found at 5 selectors
DKIM key found at selectors: selector1, k2, s2, selector2, s1.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.