Powered by
Contact us




The big picture of email security

In more than 99% of business attacks, the initial hack to uncover details about the business, steal passwords, or defraud the business, is because of misconfigurations within email security.

EmailSpoofTest.com is specifically designed to solve this problem.

Email attack surface management; emailSpoofTest.com enables organizations to quickly and privately assess, correct, and validate email security controls that prevent email based attacks. By enabling validation and tuning of fraud controls, emailSpoofTest.com makes Email Attack Surface Management possible.

The details of email security

Web Surfing: When you enter a domain name into your broswer to get to a website, the browser asks DNS the location of the web server where the website is running. DNS servers allow web browsers to find web sites.

Email Sending: Much like web surfing, the sending email server finds the receiving email server using an "MX Record" in DNS to find the location of ther receiving email server to send the email to.

Fraud Checking Emails: When an email is received by an email server, it checks the sender email domain in DNS to be sure the sender is an "authorized" sender; by checking the sending domain's DNS for SPF, DMARC, and DKIM.

If email security controls are configured correctly, fake email is rejected and valid email is delivered.

The risks of poor email security

DNS can be seen by everyone; misconfigurations of DNS that cause security holes are used by cyber attackers to target their victims.

Email security products (AI/ML especially) often implemented to protect email users, heavily rely upon these DNS settings to make judgements on good or bad email. SPF, DMARC, and DKIM are standard security controls in every email system designed to prevent scammers from emailing as your employees or partners with "BEC", Whaling", and "Reply-chain" attacks.

EmailSpoofTest.com validates protection from these attacks

Most often, busineses find that these controls do not work as they are supposed to.

Misconfigured DNS is used by attackers to target easy victims.

***Email misconfigurations are often used by cyber insurance providers to deny coverage or deny claims.***

The solution to poor email security

EmailSpoofTest.com answers; "Do my email servers properly follow the standards to reject fake email?"

EmailSpoofTest.com is designed to safely and privately visualize flaws in email security and correct these flaws before attackers find them.

EmailSpoofTest.com is the first and only 100% safe security testing platform that cannot be used to harm anyone or anything. Perfect for students and those who want to learn with confidence!




Fractional CISO's overview of EmailSpoofTest.com







What is Spoofing?

Email spoofing is sending an email as someone else in attempt to “phish” or trick someone into thinking the email is from someone it is not. There are a few different methods used; 

“Spoof” name

Example

Prevention

Impersonated domains

jim@facebook.com


SPF, DKIM

Domain look-alikes

jim@facedook.com


Reverse DNS

Fake domains

jim@notarealdomain.com


Reverse DNS

Impersonation of internal user

jim@yourcompany.com

Internal Authentication, Internal SPF



Frequently Asked Questions... with answers!

What is emailSpoofTest.com and what is it used for?

EmailSpoofTest.com is the only safe, easy, and private email self-penetration testing platform with tools needed to test and validate the security of any email system.

The concept: is to send yourself phishing & fraud emails using all the possible ways hackers can fake email; to test if an email system will drop the fraud email or allow fraud email in. If you get any of the clearly marked test emails, there are instructions inside with hints on how to correct the configuration.

 

Why is there a need for emailSpoofTest.com?

We found that even the advanced and carefully configured email security systems have security controls that are misconfigured or simply do not work

Ransomware is initialized by email fraud

Penetration tests are complicated, expensive, and exposes flaws to a 3rd party

 

 

I didn't receive any email from emailSpoofTest.com, am I safe?

No, the best way to know you are protected is to have your system validated by our team.

Disclaimer: By using this site you are not safer, nor proving you are safe from anything in any way. This is simply a test tool to help you figure out how exposed (not safe) you might be. Sometimes the emails can take a few minutes to get delivered but typically our emails are delivered within 10 minutes. If its slow, its probably you, not us. Our end of the operation is very fast and simple. If this site stops working correctly please
let us know. If you did not receive any of our emails, this is not an indicator that you are protected. Check SPAM and other protection mechanisms. 

If you received one of our test emails then your systems are very likely vulnerable. If you received one of these emails in your SPAM your systems are very likely vulnerable.


 

What are you doing with my email address?

You will not get spam sourced from us! This site does not sell your email to ad firms that will annoy you later. We don't store it in a database, we just help you test. We run analytics on site traffic and the number of emails tests. We are interested in how valuable the tool is and how we can make it better for you.

 

If you find this site useful help us out!

The best way to help is to tell your friends and colleagues on social media. Show people how to use this site. Or use the site as a tool in your own consulting practice. Another way to help is feedback! Tell us how to be better. Use the form below.  

Finally, a great way to help is to test often. We see you out there and we appreciate you!

 

How businesses are using EmailSpoofTest.com

 

Penetration testers, Red Teams, and Managed Security Providers use EmailSpoofTest.com to test and correct email security controls for their customers.

 

Businesses with compliance needs for ISO, NIST, PCI, HIPAA, BOD 1801 build EmailSpoofTest.com into continuous monitoring, continuous improvement, and companies with a SOC run our tools daily to ensure ongoing protection.

 

Continuous improvement -Businesses use EmailSpoofTest.com to show a trend of consistently checking and improving email security for good cyber-hygiene, due diligence, and reduced cyber-liability.


3rd party risk mandates -Financial institutions use EmailSpoofTest.com as a 3rd party risk requirement to ensure that business partners are secure from email-based supply-chain attacks.


Change control for email and DNS -Businesses use EmailSpoofTest.com after changes or updates to an email system or DNS which can cause huge gaps that go unnoticed without testing. Test your controls with EmailSpoofTest.com to ensure security as part of the change control process.


DNS can expire and change -DNS is often changed by multiple groups within a company causing email security holes that go unnoticed without testing. Also, DNS can expire, changing your environment leaving exposure.


Cloud email changes -IP changes, DNS changes, gateway changes… we find that cloud email environments with shared IP spaces like Gsuite or M365 need the most work out of the box and require ongoing security control validation
Email security & detection mechanisms are dynamic and change constantly -this means you need to be checking for the latest BEC and phish-kit attacks often


Compliance & Audit Operating Directives -like BOD 1801, ISO, PCI, HIPAA, NIST… all require validating email security controls by testing with EmailSpoofTest.com regularly.


 

EmailSpoofTest.com Use-Cases & Licensing

Personal use Am I protected?

Personal non-business, & educational users use this site to learn about mail systems and set up testing environments. No advance mode license required.

 

Business use; Change Control Have my business defenses changed?

Changes to an email environment can leave holes that go unnoticed for years. Businesses use this site to validate controls after a change or update to email or email security. Most test at least once per month for each mail domain and after changes. Advanced license is required.

 

Business use; Penetration Test/ Security Assessments Is my business vulnerable?

Assessing the security posture for inbound mail fraud, spoofing executives, and penetration testing relays are just a few of the ways to use this site to assess and test email infrastructure. Advanced license is required.


Business use; Business value, email security efficacy & security software sales Do my customers need help?

This site is used to start pre-sales discussions around email security and prove efficacy during proof of concept comparisons. Advanced license is required.

 




Diagnostic Test Email Definitions E1-E10


Email E1 One valid email from emailSpoofTest.com to make sure you get our emails (should be deliverd to inbox)

Email E2 One email from a disallowed subdomain of an allowed domain, emailSpoofTest.com (should be quarantined by your email servers)

DNS settings for emailSpoofTest.com:

DMARC = Quarantine | Relaxed SPF | Relaxed DKIM | Reject subdomains
[v=DMARC1; p=quarantine; rua=mailto:emailspooftest@ignitecyber.co; ruf=mailto:emailspooftest@ignitecyber.co; fo=1:d:s; adkim=r; aspf=s; sp=reject]

SPF = Allow included URLs, deny others [v=spf1 include:spf.websitewelcome.com include:spf2.websitewelcome.com include:amazonses.com include:secureserver.net -all]

DKIM = email not signed [selector = a1, v=DKIM1; k=rsa; p=ZW1...]


Email E3 One email from a badDMARC.com where the policy is to strictly reject all email (should be rejected by your email servers)

Email E4 One email from a subdomain, verybad.badDMARC.com where the domain policy is set to reject all email (should be rejected by your email servers)

DNS settings for badDMARC:

DMARC = Reject | Strict SPF | Strict DKIM | Reject subdomains
[v=DMARC1; p=reject; rua=mailto:baddmarc@ignitecyber.co; ruf=mailto:baddmarc@ignitecyber.co; fo=1:d:s; adkim=s; aspf=s; sp=reject]
SPF = Deny all senders [v=spf1 -all]
DKIM = email not signed [selector = default, v=DKIM1; k=rsa; p=MIIB...]



Email E5 One email from badDKIM.com where the policy is to reject email without a DKIM signature (should be rejected by your email servers)

Email E6 One email from a subdomain of badDKIM.com where the policy is to require DKIM and reject subdomains (should be rejected by your email servers)

DNS Settings for badDKIM.com

DMARC = Reject | Relaxed SPF | Strict DKIM | Reject subdomains
[v=DMARC1; p=reject; rua=mailto:badDKIM@ignitecyber.co; ruf=mailto:badDKIM@ignitecyber.co; fo=1:d:s; adkim=s; aspf=r; sp=reject]
SPF = Deny all senders [v=spf1 -all]
DKIM = email not signed [selector = default, v=DKIM1; k=rsa; p=MIIB...]



Email E7 One email from badSPF.com that rejects all email but has no DMARC policy defined (should be rejected by your email servers)

Email E8 One email from a subdomain of badSPF.com that rejects all email but has no DMARC policy defined (should be rejected by your email servers)

DNS Settings for badSPF.com

DMARC = Not configured (Neutral)

SPF = Reject all [v=spf1 -all]

DKIM = email not signed (Selector = default) [selector = default, v=DKIM1; k=rsa; p=MIIB...]



Email E9 One email from your sending email address (should be rejected by your email servers and your DMARC monitoring should raise an alert). This tests spoofing internal mail from the outside. It sends a mail from you to you but from our servers. If internal authentication is properly set this email should not get to your inbox. 



Email E10 One email from a domain that does not exist (should not deliver to inbox). This test is sent from a non-existing domain "garbageRANDOMNUMBERf.com". If this email gets to your inbox or junkmail your email system accepts email from nonexisting domains.









 

---ads by google---


 

---ads by google---


 

---ads by google---