Spoofability verdict for schwab.com
No - schwab.com is not practically spoofable.
See the math
Charles Schwab has deployed the gold-standard email authentication setup: DMARC reject, SPF hardfail, and multiple DKIM signers. This is the configuration that makes email spoofing genuinely difficult.
- DMARC policy=reject: Reject policy is the strongest stance: receivers are instructed to block messages that fail authentication checks. This applies uniformly across all mail (pct=unset means 100% enforcement). Any attacker-sent mail that cannot pass Schwab's keys will be rejected by compliant receivers.
- SPF hardfail (-all): SPF blocks mail from any IP address not explicitly authorised by Schwab's record. The -all mechanism (hardfail) tells receivers to reject, not quarantine. Combined with DMARC reject, this closes the door on spoofing from uncontrolled infrastructure.
- DKIM at 3 selectors (s1, mail, selector1): Multiple DKIM selectors mean Schwab can sign mail in different ways and rotate keys without breaking delivery. An attacker would need to compromise one of these private keys to forge a valid signature—a cryptographic attack, not a configuration weakness.
- MTA-STS missing: MTA-STS enforces TLS on inbound connections and helps prevent man-in-the-middle attacks during mail delivery. Its absence is a minor gap, but only relevant if an attacker controls network infrastructure between mail servers. DMARC reject + SPF hardfail already handle the spoofing surface.
What this means practically
An attacker cannot realistically spoof Schwab mail to a mailbox that respects DMARC and SPF. Gmail, Microsoft 365, and most modern receivers will reject unsigned or mis-signed Schwab messages outright. Even if an attacker sends mail *claiming* to be from @schwab.com, it will fail the authentication chain and be rejected before it reaches a user's inbox. The attacker's only path would be to compromise Schwab's infrastructure or steal a DKIM private key—both require access to Schwab's systems, not mail protocol exploitation.
Context for Charles Schwab
Financial institutions like Schwab face real phishing and impersonation risk. Reject-mode DMARC is the appropriate response and is expected of any company handling customer credentials or transactions.
Bottom line: Schwab's authentication posture is exemplary for the financial sector: DMARC reject + SPF hardfail + DKIM are correctly configured, making spoofing impractical.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com -allEnforced
DKIM presence
found at 3 selectors
DKIM key found at selectors: s1, mail, selector1.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.