For domains in this list there are no DNS records for SPF and DMARC:
- mediawiki.org
- wikibooks.org
- wikinews.org
- wikiquote.org
- wikisource.org
- wikiversity.org
- wikivoyage.org
- wiktionary.org
This creates a potential vulnerability, because anyone can send a letter on behalf of the Wikimedia project. Since, as far as I know, these domains are not used to send messages, the policy can be specified as restrictive as possible (p=reject; sp=reject).