Can you spoof a newsroom? Email authentication at 65 news organizations

News organizations are under siege. Every day, attackers impersonate newsrooms in phishing campaigns, fake "breaking news" alerts, and source manipulation attacks. A forged email from a respected journalist's domain can move markets, spread disinformation, or compromise an entire investigation.

Yet when we scanned 65 major news and media organizations for email authentication defenses, we found a troubling gap: while most have deployed the foundational protections (SPF and DMARC), one in five have published DMARC in report-only mode — meaning their From address is still spoofable, and receivers are taking no action to block forgeries.

Here's what we found.

What we measured

On 2026-06-24, we scanned 65 news and media organizations using live DNS-over-HTTPS queries via Cloudflare, pulling the same email authentication records that Domain Posture's dossier checks examine for any domain. The snapshot includes SPF, DMARC, DKIM (at common selector prefixes), MTA-STS, and TLS-RPT adoption.

Note: DNS records change. These percentages are accurate as of the scan date and may differ if you check today.

Of the 65 organizations, 63 had MX records (two were not reachable or lacked mail service in our query).

Most are covered — but the policy matters

The adoption numbers look reassuring at first glance:

• SPF present: 95.4%
• DMARC present: 95.4%
• DKIM detectable: 78.5% (a floor — our scan looked for common selector names, not exhaustive enumeration)

| Metric | Percentage | |--------|-----------| | SPF hardfail (−all) | 30.8% | | SPF softfail (∼all) | 63.1% | | DMARC p=reject | 47.7% | | DMARC p=quarantine | 27.7% | | DMARC p=none | 20.0% | | DMARC with rua reporting | 92.3% | | Full enforced stack (SPF + DMARC reject/quarantine + DKIM + rua) | 73.8% |

The newsrooms that took authentication seriously are household names:

• DMARC p=reject (enforcing): nytimes.com, washingtonpost.com, reuters.com, bbc.com, cnn.com, theguardian.com, ft.com, bloomberg.com, npr.org, foxnews.com, forbes.com, fortune.com, telegraph.co.uk, wired.com, theverge.com, techcrunch.com.

These outlets have no room for spoofing. Their From address is locked down.

But one in five only watches — and that's a problem

Here's where the story takes a darker turn. 20% of the 65 organizations publish DMARC with p=none — monitor-only mode.

What does that mean? p=none means DMARC is publishing authentication instructions, but it tells email receivers to take no action if a message fails checks. The newsroom gets a report (rua) showing what failed. But the From domain is still spoofable. Any attacker can craft an email claiming to be from that organization, and most email servers will accept it.

The 13 organizations we identified in p=none mode:

• nbcnews.com, cbsnews.com, abcnews.com
• theintercept.com
• lefigaro.fr, zeit.de
• asahi.com
• motherjones.com
• espn.com
• indianexpress.com
• venturebeat.com, thenextweb.com
• corriere.it

These are well-known outlets. Their domains are trusted. And yet, if you send an email claiming to be from nbcnews.com, most email servers will let it through — because the domain's DMARC policy says "don't enforce."

The question isn't whether the newsroom published DMARC. The question is: did they enforce it? 75.4% of the cohort did (p=reject or p=quarantine combined). The other 24.6% are running on trust and observation only.

The unprotected few — no DMARC at all

Three organizations in our scan published no DMARC record whatsoever:

• faz.net (Frankfurter Allgemeine Zeitung)
• thehindu.com (The Hindu)
• timesofindia.indiatimes.com (Times of India)

Additionally, some lacked SPF:

• faz.net, nikkei.com, timesofindia.indiatimes.com

For these domains, email spoofing is trivial. An attacker can send mail from any of these addresses with no authentication barrier. There is no p=none grey zone here — there is simply no protection.

This is likely a mix of legacy infrastructure, resourcing constraints, and regional variations in email practices. But the risk is the same: impersonation.

Transport security barely registers

We also looked at MTA-STS (SMTP TLS enforcement) and TLS-RPT (TLS reporting). These are a level up from DMARC — they protect the transport of mail, not just the sender identity.

Adoption in this cohort:

• MTA-STS published: 4.6% (3 organizations)
• TLS-RPT published: 4.6%

The three MTA-STS adopters: theguardian.com, telegraph.co.uk, and thenextweb.com. That's it.

Why the gap? MTA-STS is newer and more operationally complex than DMARC. You have to publish a policy file, keep it fresh, and monitor TLS failures. Most newsrooms have correctly prioritized DMARC first. But for a high-value target like a major publication, MTA-STS is the next logical step.

If you run a newsroom's domain — here's what to do

If your organization is publishing p=none, you have already done most of the work:

1. You have SPF and DKIM in place.
2. You have DMARC reports (rua) flowing in — you're getting visibility into failures and spoofing attempts.
3. You have the data you need to move confidently to p=reject.

The move from p=none to p=reject is incremental, not binary. Your reporters' mail workflows are already correct (legitimate mail authenticated by your SPF and DKIM). The change affects external senders — attackers and misconfigured tools — not your internal mailbox.

Monitor your rua reports, ensure your mail infrastructure is compliant, then flip the policy. Your newsroom will no longer be spoofable.

Check your domain's DMARC →

Further reading

• State of email authentication 2026
• What is DMARC?
• DMARC policy: p=none, p=quarantine, or p=reject?
• Is my domain spoofable?
• SPF softfail vs. hardfail: what's the difference?