Which government brands can be spoofed in email?

Government domains are the most-impersonated brands globally - tax-refund scams, package-customs scams, immigration scams. The big national agencies have generally moved to DMARC enforcement; the long tail of agencies, sub-departments, and state / municipal sites lags behind.

Spoofable

1 (6%)

No DMARC, or DMARC at p=none. Anyone can send from these domains.

Partial protection

1 (6%)

DMARC at p=quarantine, or p=reject with pct<100. Spoofed mail may slip through.

Not practically spoofable

16 (89%)

DMARC p=reject pct=100 + SPF -all or DKIM. Spoofed mail rejected at SMTP.

Brand	Domain	Verdict
CRA (Canada)	canada.ca	Spoofable	See the math →
US Treasury	treasury.gov	Maybe	See the math →
Australian Taxation Office	ato.gov.au	Protected	See the math →
CDC	cdc.gov	Protected	See the math →
CISA	cisa.gov	Protected	See the math →
DHS	dhs.gov	Protected	See the math →
European Commission	ec.europa.eu	Protected	See the math →
FBI	fbi.gov	Protected	See the math →
FCC	fcc.gov	Protected	See the math →
FTC	ftc.gov	Protected	See the math →
Federal Reserve	federalreserve.gov	Protected	See the math →
GOV.UK	gov.uk	Protected	See the math →
HM Revenue & Customs	hmrc.gov.uk	Protected	See the math →
IRS	irs.gov	Protected	See the math →
NASA	nasa.gov	Protected	See the math →
SEC	sec.gov	Protected	See the math →
USPS	usps.com	Protected	See the math →
White House	whitehouse.gov	Protected	See the math →

Other categories

What does "spoofable" actually mean?

A domain is spoofable when a third party can send mail FROM addresses at that domain (e.g. [email protected]) and have it land in inboxes. The mechanism that prevents this is DMARC enforcement combined with SPF and DKIM. Without all three, receivers have no policy to apply against unauthorised senders.

Want the same check on your own domain? Run the free Spoofability check.

This category last scored: Tue, 12 May 2026 05:18:30 GMT.