Spoofability verdict for royalmail.com
No - royalmail.com is not practically spoofable.
See the math
Royal Mail has implemented a textbook-correct email authentication posture. Their DMARC policy rejects unauthenticated mail, SPF forbids spoofing, and DKIM is properly deployed—which together make this domain nearly impossible to impersonate in practice.
- DMARC p=reject (enforced): Any email claiming to be from royalmail.com that fails DMARC checks is rejected outright, not moved to spam. This is the gold standard—no wiggle room for attackers.
- SPF hardfail (-all, 40+ authorized IPs): The -all rule means only mail from the explicitly listed IP ranges (including Mandrill, Amazon SES, Salesforce, and Outlook) can pass. SPF prevents spoofed headers from forged domains.
- DKIM at 5 selectors (s1, s2, mandrill, k2, selector1): Multiple active selectors indicate mature key rotation. An attacker cannot forge valid DKIM signatures without the private keys, which are Royal Mail's to protect.
- MTA-STS not deployed: MTA-STS enforces encrypted SMTP connections to prevent man-in-the-middle attacks during mail transit. Its absence doesn't enable spoofing directly, but is a defense-in-depth miss.
What this means practically
An attacker cannot realistically impersonate Royal Mail. Mail servers checking DMARC will reject forgeries; even if an attacker spoofs the sender address, the message fails both SPF (wrong sending IP) and DKIM (no valid signature). Gmail, Outlook, and corporate systems will reject or heavily flag such attempts. The only attack vector is social engineering unrelated to technical spoofability—tricking a human, not the mail system.
Bottom line: Royal Mail's authentication is correctly configured and provides near-complete protection against email spoofing; attackers must resort to entirely different tactics.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 ip4:157.203.56.0/22 ip4:208.72.90.64/26 ip4:134.213.149.92/32 ip4:144.87.143.0/24 ip4:146.101.28.221/32 ip4:147.29.39.0/24 ip4:157.203.0.0/27 ip4:20.90.138.231/32 ip4:185.29.44.6/32 ip4:191.233.96.0/20 ip4:194.140.251.4/32 ip4:208.185.235.44/32 ip4:209.135.36.206/32 ip4:209.167.231.208/26 ip4:212.64.130.137/32 ip4:217.64.224.67/32 ip4:35.157.226.52/32 ip4:94.46.185.189/32 ip4:52.50.253.173/32 ip4:54.171.224.250/32 ip4:62.209.53.0/24 ip4:79.125.0.0/17 ip4:81.138.21.4/32 ip4:81.171.203.0/24 ip4:82.147.17.34/32 ip4:94.126.110.195/32 ip4:146.177.43.198/32 ip4:5.61.115.80/26 ip4:217.64.233.50 ip4:217.64.233.52 ip4:81.149.233.242 ip4:162.13.103.194 ip4:149.72.233.190 ip4:149.72.224.180 ip4:35.214.208.81/32 ip4:35.214.213.218/32 ip4:35.214.183.81/32 ip4:213.52.186.141/32 ip4:213.52.186.142/32 ip4:35.214.212.238/32 ip4:129.152.0.0/17 ip4:85.158.136.0/21 ip4:195.245.230.0/23 ip4:67.219.240.0/20 ip4:5.61.115.32/28 include:spf.mandrillapp.com include:amazonses.com include:spf.protection.outlook.com include:_spf.salesforce.com -all
Enforced
DKIM presence
found at 5 selectors
DKIM key found at selectors: mandrill, k2, s1, s2, selector1.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.