Spoofability verdict for npr.org
No - npr.org is not practically spoofable.
See the math
NPR has built a strong authentication posture that closes off the main routes to impersonation. Both DMARC and SPF are enforced at the strictest settings, making this a textbook example of how a large media organisation should protect its domain.
- DMARC policy=reject at 100%: Any email claiming to be from npr.org that fails authentication will be outright rejected by receiving mail servers. The 100% enforcement rate and use of relaxed alignment (adkim=r, aspf=r) means legitimate senders have room to operate, but forged mail gets no mercy.
- SPF -all (hardfail): The final -all mechanism rejects any server not explicitly listed. NPR's SPF record is comprehensive—over 30 IP ranges and includes from partners like Salesforce, Outlook, and Mandrill—but any unlisted sender will fail hard. This prevents attackers from using their own mail infrastructure to impersonate npr.org.
- DKIM at 5 selectors (k2, mandrill, s2, selector1, s1): Multiple DKIM selectors indicate NPR uses different signing keys for different sending channels and platforms. An attacker would need to compromise multiple key material sources to forge signatures; finding even one valid selector is a significant barrier.
- MTA-STS not deployed: MTA-STS enforces encrypted, authenticated connections between mail servers and protects against downgrade and MITM attacks in transit. Its absence doesn't create a spoofing vulnerability directly, but it's a belt-and-suspenders layer that NPR isn't using.
What this means practically
An attacker cannot realistically impersonate npr.org in a way that will reach inboxes. Sending from an unlisted IP will fail SPF. Forging DKIM signatures requires a stolen private key. Any message that fails authentication will be rejected outright by Gmail, Outlook, and other major receivers that respect DMARC policy=reject. In practice, spoofed npr.org mail will be rejected or land in spam before a user ever sees it.
Bottom line: NPR is not spoofable; they have implemented the full toolkit correctly, with no practical gaps for attackers to exploit.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:spf-0032f701.pphosted.com include:spf.protection.outlook.com include:prss.org exists:%{i}._spf.mta.salesforce.com include:c9eb27a2d7.berenice.eoidentity.com ip4:64.124.132.59/32 ip4:66.150.167.192/27 ip4:162.242.229.170 ip4:205.153.38.0/24 ip4:205.153.36.170 ip4:40.107.0.0/16 ip4:205.201.128.0/20 ip4:198.2.128.0/18 ip4:148.105.0.0/16 ip4:139.60.0.0/24 ip4:139.60.1.0/24 ip4:139.60.2.0/24 ip4:139.60.3.0/24 ip4:13.111.0.0/16 ip4:136.147.135.0/24 ip4:136.147.176.0/24 ip4:136.147.182.0/24 ip4:198.245.81.0/24 ip4:199.122.123.0/24 ip4:195.66.99.135 ip4:212.227.89.57 ip4:217.160.226.166 ip4:54.194.192.132 ip4:62.75.247.44 ip4:82.165.193.1 ip4:85.25.144.9 ip4:87.79.30.25 ip4:87.79.30.30 ip4:208.86.168.7 ip4:135.84.68.123 ip4:206.152.14.54 ip4:54.240.43.16 include:_spf.salesforce.com ip4:209.144.103.186 include:spf.mandrillapp.com -allEnforced
DKIM presence
found at 5 selectors
DKIM key found at selectors: k2, mandrill, s1, selector1, s2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.