wiredepth
Run a check

Spoofability verdict for nytimes.com

No - nytimes.com is not practically spoofable.

See the math

The New York Times has built a genuinely strong email authentication posture. The organisation's DMARC policy is set to reject, which means mail servers worldwide are instructed to discard emails claiming to come from nytimes.com unless they pass authentication checks.

  • DMARC at p=reject: Reject policy is the gold standard. It instructs receivers to discard unauthenticated mail and prevents even a single spoofed email reaching readers if SPF and DKIM fail.
  • SPF with ~all (softfail): SPF is correctly configured with an extensive authorisation list (including Sparkpost and Amazon SES for legitimate mail), but uses softfail (~all) rather than hardfail (-all). Under DMARC p=reject, this limitation is moot—the DMARC policy catches what SPF misses.
  • DKIM at 3 active selectors: DKIM signatures are required by DMARC policy. The Times maintains three working selectors (k2, google, s2), which is typical rotation practice and provides resilience.
  • MTA-STS absent: MTA-STS enforces encrypted SMTP delivery and would prevent server-level interception. Its absence is a minor gap, but doesn't enable direct spoofing of the nytimes.com domain.

What this means practically

An attacker cannot practically send mail impersonating nytimes.com. Even if they bypassed SPF, DMARC's reject policy mandates that receiving mail servers discard the message outright if DKIM validation fails. All major receivers (Gmail, Outlook, corporate gateways) honour reject policies. A spoofed email claiming to come from The New York Times will be binned before it reaches a user's inbox in almost all cases.

Bottom line: The New York Times has implemented email authentication correctly and completely; spoofing nytimes.com is not a realistic attack surface.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:nytimes.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:_spf.e.sparkpost.com include:amazonses.com ~all

Enforced

DKIM presence

found at 3 selectors

inspect →

DKIM key found at selectors: google, k2, s2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain