Which travel brands can be spoofed in email?
Airlines, hotels, and travel booking platforms ship a steady stream of legitimate transactional emails, which makes them prime impersonation targets (the recipient is already expecting a flight confirmation, so a fake one looks plausible). Anti-spoofing posture varies wildly by region.
Spoofable
1 (5%)
No DMARC, or DMARC at p=none. Anyone can send from these domains.
Partial protection
5 (25%)
DMARC at p=quarantine, or p=reject with pct<100. Spoofed mail may slip through.
Not practically spoofable
14 (70%)
DMARC p=reject pct=100 + SPF -all or DKIM. Spoofed mail rejected at SMTP.
| Brand | Domain | Verdict | |
|---|---|---|---|
| IHG Hotels | ihg.com | Spoofable | See the math → |
| Emirates | emirates.com | Maybe | See the math → |
| Hertz | hertz.com | Maybe | See the math → |
| Hilton | hilton.com | Maybe | See the math → |
| Ryanair | ryanair.com | Maybe | See the math → |
| Uber | uber.com | Maybe | See the math → |
| Air France | airfrance.com | Protected | See the math → |
| Airbnb | airbnb.com | Protected | See the math → |
| American Airlines | aa.com | Protected | See the math → |
| Avis | avis.com | Protected | See the math → |
| Booking.com | booking.com | Protected | See the math → |
| British Airways | britishairways.com | Protected | See the math → |
| Delta | delta.com | Protected | See the math → |
| Expedia | expedia.com | Protected | See the math → |
| Hyatt | hyatt.com | Protected | See the math → |
| JetBlue | jetblue.com | Protected | See the math → |
| Lufthansa | lufthansa.com | Protected | See the math → |
| Marriott | marriott.com | Protected | See the math → |
| Southwest | southwest.com | Protected | See the math → |
| United Airlines | united.com | Protected | See the math → |
Other categories
What does "spoofable" actually mean?
A domain is spoofable when a third party can send mail FROM addresses at that domain (e.g. [email protected]) and have it land in inboxes. The mechanism that prevents this is DMARC enforcement combined with SPF and DKIM. Without all three, receivers have no policy to apply against unauthorised senders.
Want the same check on your own domain? Run the free Spoofability check.
This category last scored: .