No - reddit.com is not practically spoofable.

• ✓DMARC policy=reject (enforced): Any email claiming to be from reddit.com that fails DMARC authentication will be rejected outright by receivers. This is the strongest DMARC posture and eliminates the majority of spoofing attack surface.
• ·SPF with ~all (softfail): SPF includes Amazon SES, Google, HubSpot, Salesforce, NetSuite and multiple IP ranges—reasonable for a large organisation with many sending services. The softfail (~all) qualifier means SPF doesn't hard-reject unauthorised senders, but DMARC reject policy compensates for this.
• ✓DKIM at 2 selectors (google, k1): DKIM signatures verified on at least two selector rotation keys, adding cryptographic proof of authenticity. Attackers cannot forge valid DKIM signatures without the private key.
• ✗MTA-STS mode=none (open): MTA-STS prevents man-in-the-middle attacks on the SMTP connection itself. Reddit's lack of MTA-STS deployment means an attacker *could* intercept and redirect SMTP traffic, though they'd still need valid DMARC signatures to succeed.

Bottom line: Reddit's strong DMARC reject posture, combined with DKIM signatures, makes spoofing reddit.com addresses impractical; the missing MTA-STS is a minor hardening gap that doesn't materially weaken the verdict.