No - x.com is not practically spoofable.

• ✓DMARC p=reject (enforced): Any email claiming to come from x.com that fails DMARC authentication is rejected outright by receiving mailboxes. This is the strongest DMARC policy and closes off the most direct spoofing vector.
• ✓SPF -all hardfail (enforced): SPF explicitly forbids any IP address not in their whitelist from sending mail as x.com. The list includes X's own ranges plus Google, Salesforce, and Oracle email platforms. Any server not on that list will fail SPF.
• ✓DKIM (google selector found): DKIM signatures cryptographically prove mail actually came from X's infrastructure. We found active signing; attackers cannot forge a valid signature without X's private key.
• ·MTA-STS missing: MTA-STS would enforce encrypted connections to X's mail servers and is a nice-to-have for freshly deployed domains, but its absence does not materially weaken the DMARC + SPF + DKIM posture already in place.

Bottom line: X.com's email domain is genuinely protected; this is a textbook example of authentication done right and worth studying if your own domain is still on the default.