EmailSpoofTest.com

Test your email defenses like a pro...

...so easy anyone could do it!

 

Built by security engineers to stop the global ransomware crisis.

Simple by design, secure coding is not flashy.

 

get compliant: ISO * NIST * CIS * HIPAA * PCI * SOX * SANS * BOD1801

 Updated: 10/21/2020
 HELP
    *new service offerings!
 
Step 1: enter your email:  email@domain.tld

Finds security holes instantly * Works on all email systems * Audit your inbox

  
Automatic 10 test email fraud audit

Step 2:   

Testing: DMARC * SPF * DKIM * Look-alike Domains * Internal-Authentication

(validates all the email security you should have setup already)
 

Site Statistics

Welcome to your updated email testing platform!
.
Your IP 54.236.35.159 hasn't been here this month
.
54.236.35.159 has performed 0 tests this month, 0 tests today
.

................
---Live stats for this month---
.
Visitors today: 615
.
Visitors this month: 65540
.
Auto-email tests today: 10
.
Auto-email tests this month: 1512
.
Advanced fraud tests today: 0
.
Advanced fraud tests this month: 114
.
Gmail tests: 100
.
Proton tests: 7
.
Yahoo tests: 5
.
Outlook tests: 4
.
Hotmail tests: 8






Step 3: Check target inbox and junk mail from step 1; an email fraud report card and test emails delivered for review within a few minutes.  


Step 4: To determine exposure and how to correct email security issues: match any received emails to the email definitions below on this page  




.....................................................

OPTIONAL: Enable advanced fraud testing features to completely spoof/ create fake email with a valid code.
Click here to request a code

Enter advanced fraud tool access code:


 
 

Email Fraud Testing Results

emailSpoofTest.com email security lab console
2020 IGNITE Cyber

System Status: Ready for action
@:\

 

 
 

 

---ads here to fund our site, please turn ad blockers off---

How to use this site


  *Tip: these are connection level security checks; if the mail is delivered in any way, even to spam/ junk, you are susceptible to fraud/ spoofing. The test emails should not be accepted by your mail servers. All of the test emails should be rejected.



Automatically send 10 fraudulent (spoofed) emails to test email defenses with 1 click

Most trusted, in-depth testing available, no sign-up or gimmicks, always FREE.

 



  
  Need help? Quick Secure * Ransomware Lockdown * Email DLP  

---ads here to fund our site, please turn ad blockers off---
 
  To identify connection level security gaps; Enter your email address into the box above and click the "Test My Email Security" button. This site will send you 10 fraudulent (spoofed) emails to test your email system's ability to detect falsely forged or spoofed email.

Spoofed email is nearly impossible to detect by an end user so having these controls on your mail system is of critical importance to overall security. All 5 test emails are described below:		  
   
 Email 0 is a clean passing email from emailspooftest.com.
Email 0a is from a disallowed subdomain of emailspooftest.com. You should not get email 0a.
Severity: Critical

DNS settings for emailSpoofTest.com

  • DMARC = Quarantine | Relaxed SPF | Relaxed DKIM  [v=DMARC1; p=quarantine; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=r; aspf=s; sp=reject]
  • SPF = Allow MX, deny others  [v=spf1 mx include:secureserver.net -all]
  • DKIM = email not signed [selector = a1, v=DKIM1; k=rsa; p=ZW1...]

    *common scenario for businesses that are using all anti-fraud measures
Fix: set your inbound email inspection servers to check DMARC for subdomains
 

Email 1 is from badDMARC.com and checks if DMARC, SPF, and DKIM protections are protecting you from emails that impersonate the most secure firms like banks or governments. 

Email 1a is from a subdomain of this domain.

BadDMARC.com email test simulates spoofing a domain fully leveraging anti-fraud protection; strict SPF, strict DKIM, requiring DMARC alignemnt. If SPF, DKIM, and DMARC protections are working on your mail servers this email should not get to your inbox or spam.
Severity: Critical

DNS settings for badDMARC.com

  • DMARC = Reject | Strict SPF | Strict DKIM  [v=DMARC1; p=reject; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=s; aspf=s; sp=reject]
  • SPF = Deny all senders  [v=spf1 -all]
  • DKIM = email not signed [selector = default, v=DKIM1; k=rsa; p=MIIB...]

    *common scenario for businesses that are using all anti-fraud measures

Fix: Turn on DMARC alignment controls for your inbound email inspection gateways.

 

  

Email 2 is from badDKIM.com and checks DKIM enforcement to simulate spoofing an email that only relies on DMARC alignment of DKIM for anti-fraud. If DKIM and DMARC protections are enforced (required in high security environments) this email should not get to your inbox or spam. Use this to test email security policy by adding this to your "Force DKIM" policy. 

Email 2a is from a subdomain of this domain.
Severity: Moderate

DNS settings for badDKIM.com

  • DMARC = Reject | Relaxed SPF | Strict DKIM [v=DMARC1; p=reject; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=s; aspf=r; sp=reject]
  • SPF = Not configured (Neutral)
  • DKIM = email not signed (Selector = default) [selector = default, v=DKIM1; k=rsa; p=MIIB...]
    *common scenario for businesses that cannot implement SPF due to email complexity

Fix: On your inbound email inspection gateways set DMARC alignment for DKIM restrictions to deny email without a DKIM signature for domains that require DKIM via DMARC.

 
 

Email 3 is from badSPF.com which simulates spoofing an email from a disallowed mail server. If SPF protections are working properly this email should not get to your inbox or spam.

Email 3a is a subdomain of this domain.
Severity: High

DNS settings for badSPF.com

  • DMARC = None | Strict SPF | Relaxed DKIM [v=DMARC1; p=none; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=r; aspf=s; sp=reject]
  • SPF = Reject all [v=spf1 -all]
  • DKIM = email not signed (Selector = default) selector = default, v=DKIM1; k=rsa; p=MIIB...]

    *common scenario for businesses that cannot implement DKIM on every email or only have SPF configured

Fix: Set your email inspection gateways to reject email from servers that fail SPF checks. In some systems the setting may be enabled but the emails are not rejected, in about %40 of the inspection gateways we notice you may need to toggle the setting to get it to work. Always test security!

 
  Email 4 tests spoofing internal mail from the outside. It sends a mail from you to you but from our servers. If internal authentication is properly set this email should not get to your inbox. 
Severity: Critical

Fix: On your inbound email gateways, only allow specific IP addresses to send mail from internal domains. This is typically a "relay" setting. 

 
Email 5 is sent from a non-existing domain "garbage000f.com". If this email gets to your inbox your email system does not perform reverse DNS lookups.
Severity: Critical

Fix: On your inbound email gateways, enable DNS lookups. Tip: If you host your own gateways make sure you have enough resources, test first.

             
  EmailSpoofTest
??? Frequently Asked Questions ???
 
 

---ads here to fund our site, please turn ad blockers off---

 

Don't forget to test & audit your DLP at DataLeakTest.com

 


  
 

---ads here to fund our site, please turn ad blockers off---
     
  Intended use:This site is intended to help organizations identify where their email security gaps are so that they may correct any issues. Please only use this site on systems where you have explicit written permission to do so. If misused you could get into serious legal trouble. Use at your own risk!

 
  Liability Statement:This site, its owners, creators, and sponsors (referred to as “we”) make this site available as a free public service to make the world a safer and more secure place to do business. We are not responsible for any damage caused by use or misuse.

 

IGNITE
EmailSpoofTest.com is owned and operated by IGNITE Cyber