Spoofability verdict for washingtonpost.com
No - washingtonpost.com is not practically spoofable.
See the math
The Washington Post has built strong email authentication foundations with an enforced DMARC reject policy and strict SPF hardfall, making casual spoofing attempts against their domain nearly impossible.
- DMARC policy=reject; pct=100: Full enforcement at 100% means every message claiming to be from washingtonpost.com must pass DMARC or get rejected outright. No window for testing or exceptions.
- SPF hardfail (-all) with multiple IP ranges: SPF is configured to explicitly reject mail from any sender IP not on their whitelist (198.72.14.0/23, 192.72.255.0/24, specific AWS IPs, and Outlook/third-party marketing infrastructure). The -all does the job.
- DKIM: no common selectors found: DKIM wasn't discovered on standard selectors, which slightly weakens the second authentication layer—but DMARC policy=reject handles the heavy lifting regardless.
- MTA-STS: not configured: MTA-STS enforces encrypted delivery between mail servers; its absence is a small gap, but doesn't affect spoofability directly since SPF and DMARC already block forged mail.
What this means practically
An attacker cannot practically send mail that appears to be from washingtonpost.com. Any message that fails DMARC (which any spoofed message will, since the SPF record lists only WaPo's own infrastructure) will be rejected by modern mailboxes. Gmail, Outlook, and corporate mail systems will not deliver it to inboxes. This is the gold standard.
Bottom line: The Washington Post's DMARC reject policy at 100% with strict SPF enforcement makes them effectively unspoofable—attackers cannot impersonate their domain.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 ip4:198.72.14.0/23 ip4:192.72.255.0/24 ip4:54.156.98.51 ip4:54.210.51.17 include:spf.protection.outlook.com include:madgexjb.com include:spf-001a3c01.pphosted.com include:amazonses.com -all
Open
DKIM presence
no key found at common selectors
No DKIM key found at any of the 22 common selectors. (Your domain may publish a DKIM key at a less-common selector - this is a heuristic, not exhaustive.)
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Confirm DKIM is configured. We didn't find a key at the common selectors; if you do publish DKIM, the selector you use isn't in our probe list - that's fine, but worth verifying with your mail provider.
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.