Spoofability verdict for mastercard.com
No - mastercard.com is not practically spoofable.
See the math
Mastercard has deployed one of the strongest email authentication postures you'll find in financial services. The organization combines hardline DMARC enforcement with multiple DKIM selectors and a carefully considered SPF foundation.
- DMARC policy=reject (enforced): Mastercard's DMARC policy rejects emails that fail authentication checks outright. This means invalid mail is dropped at the receiver before it reaches inboxes—no softfail buffer, no none-mode wiggle room. This is the hardest stance a financial brand can take.
- SPF ~all (softfail): SPF includes four legitimate send-path ranges (Outlook, Mastercard's own gateways, and external partners) then softfails on unmatched IP. Softfail doesn't block mail, but combined with DMARC reject, any spoofed IP will fail both checks and be rejected by compliant receivers.
- DKIM at 4 selectors (s2, s1, k1, k2): Four active signing keys reduce the window for attackers to forge valid signatures. Mastercard rotates selectors, which increases operational complexity for an attacker and makes key compromise less catastrophic.
- MTA-STS: mode=missing: MTA-STS enforces encrypted connections when one mail server talks to another. Without it, an attacker positioned on the network path could downgrade the connection to unencrypted—though DMARC/SPF/DKIM already filter spoofed mail at the receiver.
What this means practically
An attacker cannot practically spoof Mastercard's domain. To send mail that arrives in a recipient's inbox, the attacker would need to control an IP in Mastercard's SPF allowlist, forge a valid DKIM signature (which requires the private key), or compromise Mastercard's DNS records directly. Attempting to spoof without these would result in instant rejection by Gmail, Microsoft 365, or any DMARC-aware mail system. The only open door is network-level MTA-STS interception between mail servers—a sophisticated attack that still wouldn't produce mail visible to end users because authentication checks fail upstream.
Bottom line: Mastercard's hardline DMARC reject, backed by multi-selector DKIM and carefully scoped SPF, makes this domain one of the hardest financial brands to spoof—though adding MTA-STS would close the last theoretical gap.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Partial
SPF posture
~all (softfail)
SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.
v=spf1 include:spf.protection.outlook.com include:deliverygateways.mastercard.com include:external.mastercard.com include:external2.mastercard.com include:deliverygateways2.mastercard.com ~all
Enforced
DKIM presence
found at 4 selectors
DKIM key found at selectors: s1, s2, k1, k2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.