# 26 of 39 AI Companies Use SPF Softfail — Their Email Can Be Spoofed > Source: > Published: 2026-05-20 15:46:07+00:00 I queried the DNS records for 39 AI companies — labs, safety orgs, tooling companies — and checked their SPF and DMARC email security policies. The results are worse than I expected. ~all (softfail) — including Anthropic, Google, Apple, NVIDIA, and Hugging Face-all (hardfail) — OpenAI, Microsoft, Amazon, Palantir, x.aiSPF (Sender Policy Framework) tells receiving mail servers which IPs are authorized to send email on behalf of a domain. The all mechanism at the end defines what happens when a sender isn't on the list: -all (hardfail): reject the message~all (softfail): accept it but maybe flag it?all (neutral): no opinion+all (pass all): accept everythingMost email servers treat softfail as "deliver normally, maybe add a spam score." Combined with weak DMARC policies, this means spoofed emails from most AI companies will land in inboxes. Cohere stands out: 6 approved sending services with only softfail. That's a wide attack surface with weak enforcement. DMARC tells receivers what to do when both SPF and DKIM fail. p=reject blocks spoofed messages. p=none lets them through. No DMARC at all: DMARC monitoring-only (p=none): That's 9/39 domains (23%) with weak or absent DMARC. For AI safety organizations like MIRI and Alignment Forum, this is notable — organizations focused on existential risk from advanced AI, vulnerable to basic email impersonation. OpenAI (-all , p=reject ), Microsoft (-all , p=reject ), Anthropic (~all , p=reject ), and Stripe (-all , p=reject ) all have strict DMARC enforcement. Anthropic's DMARC compensates for the SPF softfail — even if SPF softfails, DMARC with p=reject will block the message. xAI's infrastructure is unusual: SSL certificate from a Chinese issuer (Guangdong Baota Security Technology), DMARC reports sent to Alibaba Cloud, domain registered in 1994 (32 years before xAI was founded). Response time: 660ms. All data comes from public DNS records. Verify any claim: dig +short TXT example.com # SPF record dig +short TXT _dmarc.example.com # DMARC policy dig +short MX example.com # Mail servers I built an interactive email security checker where you can enter any domain and see its SPF policy, DMARC enforcement, approved sender list, and mail provider — all from live DNS queries. The full analysis of all 39 companies, including Anthropic domain verification records, MCPv1 cryptographic keys, and infrastructure details, is at domainintel.vercel.app/research. Data collected May 20, 2026. All sources are public — DNS records, SSL certificates, WHOIS, HTTP headers.