Which media brands can be spoofed in email?

Newsrooms and news brands are unusual: they're high-trust impersonation targets (fake 'breaking news' emails get past spam filters easily) but historically slow to enforce DMARC because their newsletters use third-party senders the auth records don't always cover. Watch for the divide between digital-first outlets and legacy print.

Spoofable

0 (0%)

No DMARC, or DMARC at p=none. Anyone can send from these domains.

Partial protection

3 (19%)

DMARC at p=quarantine, or p=reject with pct<100. Spoofed mail may slip through.

Not practically spoofable

13 (81%)

DMARC p=reject pct=100 + SPF -all or DKIM. Spoofed mail rejected at SMTP.

Brand	Domain	Verdict
Bloomberg	bloomberg.com	Maybe	See the math →
Politico	politico.com	Maybe	See the math →
Wall Street Journal	wsj.com	Maybe	See the math →
Associated Press	apnews.com	Protected	See the math →
Axios	axios.com	Protected	See the math →
BBC	bbc.com	Protected	See the math →
CNN	cnn.com	Protected	See the math →
Financial Times	ft.com	Protected	See the math →
Forbes	forbes.com	Protected	See the math →
NPR	npr.org	Protected	See the math →
Reuters	reuters.com	Protected	See the math →
TIME	time.com	Protected	See the math →
The Atlantic	theatlantic.com	Protected	See the math →
The Guardian	theguardian.com	Protected	See the math →
The New York Times	nytimes.com	Protected	See the math →
The Washington Post	washingtonpost.com	Protected	See the math →

Other categories

What does "spoofable" actually mean?

A domain is spoofable when a third party can send mail FROM addresses at that domain (e.g. [email protected]) and have it land in inboxes. The mechanism that prevents this is DMARC enforcement combined with SPF and DKIM. Without all three, receivers have no policy to apply against unauthorised senders.

Want the same check on your own domain? Run the free Spoofability check.

This category last scored: Tue, 12 May 2026 05:18:09 GMT.