wiredepth
Run a check

Spoofability verdict for reuters.com

No - reuters.com is not practically spoofable.

See the math

Reuters has built a solid, defence-in-depth email spoofing wall. DMARC p=reject combined with SPF hardfail and multiple DKIM selectors makes this a genuinely difficult target for casual domain spoofing.

  • DMARC p=reject (enforced): Reject policy tells receiving mail servers to discard any message claiming to be from reuters.com that fails authentication. This is the nuclear option and shows Reuters takes domain protection seriously.
  • SPF hardfail (-all enforced): The -all mechanism means any server not explicitly listed in Reuters' SPF record will hard-fail SPF checks. Combined with DMARC reject, this stops most spoofing attempts at the perimeter.
  • DKIM at 3 selectors (k1, k2, selector1): Multiple DKIM signing keys means Reuters can rotate credentials without breaking verification. Found selectors across 22 probed entries shows active, redundant cryptographic signing.
  • MTA-STS absent: MTA-STS enforces encryption during transit between mail servers. Its absence doesn't weaken spoofing defences, but it does leave a gap in transit integrity.

What this means practically

An attacker cannot realistically send mail that both claims to be from reuters.com AND passes DMARC verification. Gmail, Outlook, and other modern receivers will reject such attempts outright. Legacy or poorly configured receivers might still accept unsigned mail claiming to be Reuters, but the SPF hardfail and DKIM enforcement mean an attacker would have to convince recipients through content alone—no authentication spoofing shortcut exists.

Bottom line: Reuters has implemented email authentication at the highest standard; spoofing their domain in a way that passes modern mail filter checks is practically impossible.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Enforced

SPF posture

-all (hardfail)

inspect →

SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com -all

Enforced

DKIM presence

found at 3 selectors

inspect →

DKIM key found at selectors: k1, k2, selector1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain