wiredepth
Run a check

Spoofability verdict for uhc.com

No - uhc.com is not practically spoofable.

See the math

UnitedHealthcare has built a strong email authentication posture that makes it genuinely difficult for attackers to spoof their domain. Their DMARC reject policy is the headline—it's one of the strongest stances an organisation can take.

  • DMARC policy=reject: DMARC is set to reject unauthenticated mail claiming to come from uhc.com. This is enforced across all receivers who honour DMARC. Any message that fails both SPF and DKIM alignment gets dropped, not spam-foldered.
  • SPF ~all (softfail): SPF uses softfail rather than hardfail, which means non-aligned senders get marked suspicious but not automatically rejected. However, with DMARC reject in place, this softness doesn't matter—the DMARC policy is the gating factor.
  • DKIM at 3 selectors: DKIM is actively maintained across multiple selectors (selector1, s2, s1), suggesting proper key rotation and a mature signing infrastructure. This provides cryptographic proof of origin for each message.
  • MTA-STS missing: MTA-STS would add encryption enforcement for mail in transit to uhc.com. Its absence is a gap, though it's less critical than DMARC and DKIM for preventing spoofing—it prevents eavesdropping, not impersonation.

What this means practically

An attacker cannot realistically send mail that passes DMARC validation as uhc.com without compromising their infrastructure. The reject policy means Gmail, Microsoft 365, and enterprise mail systems will silently drop spoofed messages. SPF softfail won't save a phishing attempt because DKIM validation is also required. An attacker would need to either steal DKIM private keys or somehow trick a legitimate UnitedHealthcare mail server into relaying their malicious payload—both significantly harder than a cold spoofing attempt.

Bottom line: UnitedHealthcare's DMARC reject policy with active DKIM signing makes spoofing their domain impractical; MTA-STS would be a useful addition but doesn't change the verdict.

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com ~all

Enforced

DKIM presence

found at 3 selectors

inspect →

DKIM key found at selectors: s2, s1, selector1.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain