wiredepth
Run a check

Spoofability verdict for united.com

No - united.com is not practically spoofable.

See the math

United Airlines is doing the hard work of email authentication correctly. A strict DMARC policy combined with working SPF and DKIM signals makes this domain genuinely difficult to spoof at scale.

  • DMARC policy=reject at 100%: United enforces DMARC rejection on every inbound message, with no soft-landing exceptions. Receivers like Gmail and Microsoft treat this as gospel: email failing authentication gets rejected, not folded into spam.
  • SPF with ~all (softfail): SPF is present and functional, but uses softfail rather than hardfail. This means non-conforming senders generate a mild signal rather than a hard stop—however, DMARC's strict reject policy overrides this weakness for authenticated traffic.
  • DKIM at 2 selectors (s1, s2): United maintains at least two active DKIM signing keys, which is standard practice for key rotation and redundancy. Messages signed with either key will pass DKIM verification.
  • MTA-STS not deployed: MTA-STS encrypts the channel between mail servers but is optional. Its absence doesn't weaken spoofability resistance—it only leaves the transport layer unprotected against interception or downgrade attacks.

What this means practically

An attacker cannot send email that appears to come from united.com and pass modern receiver filters. Any message lacking a valid DKIM signature from one of United's two selector keys, or lacking SPF alignment, will fail DMARC and hit the reject wall. Receivers will not deliver it to inboxes. The only realistic vector is credential theft (compromising a real United mail account), not domain spoofing.

Bottom line: United Airlines has the authentication posture you want to see: strict DMARC enforcement backed by working SPF and DKIM, making domain impersonation practically impossible for bulk attacks.</bottom_line> </invoke>

What we measured

Enforced

DMARC policy

p=reject

inspect →

DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.

Partial

SPF posture

~all (softfail)

inspect →

SPF ends in ~all (softfail). Receivers may accept but mark mail; not enforced.

v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com ~all

Enforced

DKIM presence

found at 2 selectors

inspect →

DKIM key found at selectors: s1, s2.

Open

MTA-STS (transport)

missing

inspect →

No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.

How to make it un-spoofable

  1. Tighten SPF from ~all (softfail) to -all (hardfail) once you have the list of senders right.
  2. Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.

Check another domain