19
Confirmed J&J — all secured
29
Likely J&J — ownership unprovable
3
Confirmed owned by others
What we found — read this first
This assessment verifies ownership before drawing conclusions. Brand name is not proof of ownership: a J&J product name on a domain does not mean J&J controls that domain.
Where ownership is provable (DMARC reports flow to J&J's authentication tenant, or the registrant is named), the posture is uniformly strong — 19 of 19 confirmed domains enforce DMARC, almost all at the strongest setting (p=reject).
The real exposure is the brand-domain tail and its governance. 28 J&J-branded domains are registered through J&J's own registrar but have redacted ownership — and all 28 of them publish no DMARC at all. If J&J operates them, every one is exact-domain spoofable. We cannot prove they are J&J's from public data — and that ambiguity is itself the finding.
Why "we can't confirm" is the headline
Of the branded domains checked, several are confirmed to belong to other companies — imbruvica.com (AbbVie), ponvory.com (Juvisé Pharmaceuticals) — and others sit on consumer registrars (GoDaddy) inconsistent with J&J's estate. For a generative email-content platform, the trust layer underneath the content has to be both authenticated and governed. Today, across the J&J product portfolio, it is neither consistently.
Spotlight — spravato.com
spravato.com (the product in the Content·AI Studio demo scenario) is registered through J&J's own registrar (Key-Systems, the same registrar as jnj.com) yet publishes no SPF and no DMARC. It is very likely J&J-operated and, if so, freely spoofable — but note even here that public records do not prove the registrant. The content engine's trust layer cannot rest on an assumption.
Confirmed J&J domains (19) — ownership proven
Ownership confirmed because DMARC aggregate reports flow to J&J's authentication tenant (Red Sift OnDMARC inbox 5d14eac2 / b68acfa0) or the report address contains "jnj". Posture is strong across the board.
| Domain | SPF | DMARC | DKIM | Status |
|---|
| jnj.com | -all | p=reject | — | ENFORCED |
| janssen.com | -all | p=reject | — | ENFORCED |
| jnjinnovation.com | -all | p=reject | — | ENFORCED |
| jnjmedtech.com | none | p=reject | — | ENFORCED |
| janssencarepath.com | -all | p=reject | — | ENFORCED |
| jnjwithme.com | -all | p=reject | — | ENFORCED |
| janssenmd.com | -all | p=reject | — | ENFORCED |
| darzalex.com | -all | p=reject | — | ENFORCED |
| darzalexhcp.com | -all | p=reject | — | ENFORCED |
| carvykti.com | -all | p=reject | — | ENFORCED |
| rybrevanthcp.com | -all | p=reject | — | ENFORCED |
| depuysynthes.com | -all | p=reject | — | ENFORCED |
| synthes.com | -all | p=reject | — | ENFORCED |
| acclarent.com | -all | p=reject | — | ENFORCED |
| abiomed.com | ~all | p=reject | selector1 | ENFORCED |
| acuvue.com | -all | p=reject | — | ENFORCED |
| biosensewebster.com | none | p=none | — | MONITOR ONLY |
| actelion.com offline | no A record at assessment time | N/A |
ENFORCED |
| jnjvision.com offline | no A record at assessment time | N/A |
ENFORCED |
Likely J&J — ownership not provable (29)
J&J product/brand names, registered through J&J's own registrar (Key-Systems GmbH), but with privacy-redacted registrant and no DMARC reporting to confirm operation. Treat as probable J&J assets pending internal confirmation. All live domains here publish no DMARC — exact-domain spoofable if J&J-operated. DKIM absence is not conclusive (selectors are private).
| Domain | SPF | DMARC | DKIM | Status |
|---|
| spravato.com | none | none | — | UNAUTHENTICATED |
| spravatohcp.com | none | none | — | UNAUTHENTICATED |
| spravatowithme.com offline | no A record | N/A |
| stelarainfo.com | none | none | — | UNAUTHENTICATED |
| tremfya.com | none | none | — | UNAUTHENTICATED |
| tremfyahcp.com | none | none | — | UNAUTHENTICATED |
| tremfyawithme.com | none | none | — | UNAUTHENTICATED |
| invokana.com | none | none | — | UNAUTHENTICATED |
| invokanahcp.com | none | none | — | UNAUTHENTICATED |
| erleada.com | none | none | — | UNAUTHENTICATED |
| erleadahcp.com | none | none | — | UNAUTHENTICATED |
| rybrevant.com | none | none | — | UNAUTHENTICATED |
| simponi.com | none | none | — | UNAUTHENTICATED |
| simponihcp.com | none | none | — | UNAUTHENTICATED |
| invega.com | none | none | — | UNAUTHENTICATED |
| sirturo.com | none | none | — | UNAUTHENTICATED |
| symtuza.com | none | none | — | UNAUTHENTICATED |
| remicade.com | none | none | — | UNAUTHENTICATED |
| akeega.com | none | none | — | UNAUTHENTICATED |
| balversa.com | none | none | — | UNAUTHENTICATED |
| ethicon.com | none | none | — | UNAUTHENTICATED |
| cerenovus.com | none | none | — | UNAUTHENTICATED |
| mentorwwllc.com | none | none | — | UNAUTHENTICATED |
| opsumit.com | none | none | — | UNAUTHENTICATED |
| uptravi.com | none | none | — | UNAUTHENTICATED |
| depuy.com | none | none | — | UNAUTHENTICATED |
| janssenoncology.com | none | none | — | UNAUTHENTICATED |
| janssenscience.com | none | none | — | UNAUTHENTICATED |
| janssenwithme.com | none | none | — | UNAUTHENTICATED |
Confirmed owned by other companies (3)
Carrying a J&J-associated product name but provably not J&J domains. Excluded from any J&J finding.
| Domain | Owner | Note |
|---|
| imbruvica.com | AbbVie Inc. | Co-marketed; domain owned by AbbVie |
| ponvory.com | Juvisé Pharmaceuticals | Ponvory divested by J&J (2024) |
| ponvoryhcp.com | Juvisé Pharmaceuticals | Ponvory divested by J&J (2024) |
Ownership could not be confirmed (5)
Anomalous registration or shared/ambiguous ownership — not attributed to J&J without confirmation.
| Domain | Registration | Note |
|---|
| stelara.com | GoDaddy registrar | Anomalous registration — not on J&J registrar; unconfirmed |
| velys.com | GoDaddy / Domains By Proxy | Privacy-proxied; J&J MedTech brand but unconfirmed |
| xarelto.com | CSC (Bayer co-marketed) | Bayer-originated drug; ownership ambiguous |
| xareltohcp.com | CSC (Bayer co-marketed) | Bayer-originated drug; ownership ambiguous |
| janssenimmunology.com | n/a | Does not resolve; unconfirmed |
Method & scope
Passive, public-records only. Every result is read from published DNS and public WHOIS — exactly what a receiving mail server and a domain registry expose. No active scanning, no probing, no access to J&J systems. SPF and DMARC were resolved over public DNS (Cloudflare 1.1.1.1); CNAME-delegated DMARC was followed to the published policy.
Ownership verification. Each domain was checked by WHOIS (registrar + registrant) and by its DMARC aggregate-report address. A domain is marked confirmed J&J only where reports flow to J&J's authentication tenant or the registrant is named J&J/Janssen/Actelion/Abiomed. Brand name alone was never treated as proof — and that discipline surfaced domains that belong to AbbVie and Juvisé.
Limits & reading the results
SPF -all hard-fail · ~all soft-fail · none no record. DMARC p=reject blocks spoofing · p=none reports only · none no policy. DKIM shown only where a key was found on a common selector — absence is not proof of no DKIM (selectors are private and not externally enumerable). Most WHOIS registrant fields are privacy-redacted, so "likely J&J" cannot be upgraded to "confirmed" from public data — only J&J can confirm those internally.
Coverage & visible emails
Domain set: a representative sample of current J&J public-facing domains (corporate, Innovative Medicine, MedTech, patient/HCP portals). Kenvue consumer brands are excluded. This is not an exhaustive registry of every domain J&J owns — that is not obtainable from public data alone. Certificate-transparency enumeration of janssen.com returned 43 subdomains, which inherit the organisational DMARC policy and are not separately listed.
Visible email addresses: none found. Public pages were checked for visibly-published addresses. J&J product sites use contact forms, telephone and ISI documents rather than published emails, and the corporate domains return HTTP 403 to automated retrieval. No addresses were captured, inferred or invented. A manual page-by-page pass can be added on request.
