--- Updated: 11/23/2020   *   Compare email security solutions: 2020 Email Security Report   *   Service Offerings   *   Frequently Asked Questions ---
EmailSpoofTest.com

Email Security Penetration Testing Platform

  HELP
 
Step 1: enter your email:  email@domain.tld

 

  
Automatic 10 test email fraud audit

Step 2:   

 

Site Statistics

Welcome to the emailSpoofTest.com email security testing platform!
.
Your IP 3.239.45.252 hasn't been here this month
.
3.239.45.252 has performed 0 tests this month, 0 tests today
.

................
---Live stats for today---
.
Visitors: 3289
.
Auto-email tests: 10
.
Advanced fraud tests: 0
.

................
---Live stats for December---
.
Visitors: 15368
.
Auto-email tests: 186
.
Advanced fraud tests: 20
.
................
---Domain stats Dec---
.
.gov tests: 2
.
Google tests: 11
.
M365 setup tests: 2
.
MS Outlook tests: 2
.
Proton tests: 2
.
AOL tests: 2



Step 3: Check target inbox and junk mail from step 1; an email fraud report card and test emails delivered for review within a few minutes.  


Step 4: To determine exposure and how to correct email security issues: match any received emails to the email definitions below on this page  




.....................................................

OPTIONAL: Enable advanced fraud testing features to completely spoof/ create fake email with a valid code.
Click here to request a code

Enter advanced fraud tool access code:


 

Email Fraud Testing Results

emailSpoofTest.com email security lab console
2020 IGNITE Cyber

System Status: Ready for action
@:\

 

 

Testing: DMARC * SPF * DKIM * Look-alike Domains * Internal-Authentication
(validates all the email security you should have setup already)

 

Finds security holes instantly * Works on all email systems

 

maps to: ISO * NIST * CIS * HIPAA * PCI * SOX * SANS * BOD1801
 

 

---ads here to fund our site, please turn ad blockers off---

How to use this site


 

 



  
  Need help? Quick Secure * Ransomware Lockdown * Email DLP  

---ads here to fund our site, please turn ad blockers off---
 
  To identify connection level security gaps; Enter your email address into the box above and click the "Test My Email Security" button. This site will send you 10 fraudulent (spoofed) emails to test your email system's ability to detect falsely forged or spoofed email.

Spoofed email is nearly impossible to detect by an end user so having these controls on your mail system is of critical importance to overall security. All 5 test emails are described below:		  
   
 Email 0 is a clean passing email from emailspooftest.com.
Email 0a is from a disallowed subdomain of emailspooftest.com. You should not get email 0a.
Severity: Critical

DNS settings for emailSpoofTest.com

  • DMARC = Quarantine | Relaxed SPF | Relaxed DKIM  [v=DMARC1; p=quarantine; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=r; aspf=s; sp=reject]
  • SPF = Allow MX, deny others  [v=spf1 mx include:secureserver.net -all]
  • DKIM = email not signed [selector = a1, v=DKIM1; k=rsa; p=ZW1...]

    *common scenario for businesses that are using all anti-fraud measures
Fix: set your inbound email inspection servers to check DMARC for subdomains
 

Email 1 is from badDMARC.com and checks if DMARC, SPF, and DKIM protections are protecting you from emails that impersonate the most secure firms like banks or governments. 

Email 1a is from a subdomain of this domain.

BadDMARC.com email test simulates spoofing a domain fully leveraging anti-fraud protection; strict SPF, strict DKIM, requiring DMARC alignemnt. If SPF, DKIM, and DMARC protections are working on your mail servers this email should not get to your inbox or spam.
Severity: Critical

DNS settings for badDMARC.com

  • DMARC = Reject | Strict SPF | Strict DKIM  [v=DMARC1; p=reject; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=s; aspf=s; sp=reject]
  • SPF = Deny all senders  [v=spf1 -all]
  • DKIM = email not signed [selector = default, v=DKIM1; k=rsa; p=MIIB...]

    *common scenario for businesses that are using all anti-fraud measures

Fix: Turn on DMARC alignment controls for your inbound email inspection gateways.

 

  

Email 2 is from badDKIM.com and checks DKIM enforcement to simulate spoofing an email that only relies on DMARC alignment of DKIM for anti-fraud. If DKIM and DMARC protections are enforced (required in high security environments) this email should not get to your inbox or spam. Use this to test email security policy by adding this to your "Force DKIM" policy. 

Email 2a is from a subdomain of this domain.
Severity: Moderate

DNS settings for badDKIM.com

  • DMARC = Reject | Relaxed SPF | Strict DKIM [v=DMARC1; p=reject; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=s; aspf=r; sp=reject]
  • SPF = Not configured (Neutral)
  • DKIM = email not signed (Selector = default) [selector = default, v=DKIM1; k=rsa; p=MIIB...]
    *common scenario for businesses that cannot implement SPF due to email complexity

Fix: On your inbound email inspection gateways set DMARC alignment for DKIM restrictions to deny email without a DKIM signature for domains that require DKIM via DMARC.

 
 

Email 3 is from badSPF.com which simulates spoofing an email from a disallowed mail server. If SPF protections are working properly this email should not get to your inbox or spam.

Email 3a is a subdomain of this domain.
Severity: High

DNS settings for badSPF.com

  • DMARC = None | Strict SPF | Relaxed DKIM [v=DMARC1; p=none; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=r; aspf=s; sp=reject]
  • SPF = Reject all [v=spf1 -all]
  • DKIM = email not signed (Selector = default) selector = default, v=DKIM1; k=rsa; p=MIIB...]

    *common scenario for businesses that cannot implement DKIM on every email or only have SPF configured

Fix: Set your email inspection gateways to reject email from servers that fail SPF checks. In some systems the setting may be enabled but the emails are not rejected, in about %40 of the inspection gateways we notice you may need to toggle the setting to get it to work. Always test security!

 
  Email 4 tests spoofing internal mail from the outside. It sends a mail from you to you but from our servers. If internal authentication is properly set this email should not get to your inbox. 
Severity: Critical

Fix: On your inbound email gateways, only allow specific IP addresses to send mail from internal domains. This is typically a "relay" setting. 

 
Email 5 is sent from a non-existing domain "garbage000f.com". If this email gets to your inbox your email system does not perform reverse DNS lookups.
Severity: Critical

Fix: On your inbound email gateways, enable DNS lookups. Tip: If you host your own gateways make sure you have enough resources, test first.

             
  EmailSpoofTest
??? Frequently Asked Questions ???
 
 

---ads here to fund our site, please turn ad blockers off---

 

Don't forget to test & audit your DLP at DataLeakTest.com

 


  
 

---ads here to fund our site, please turn ad blockers off---
     
  Intended use:This site is intended to help organizations identify where their email security gaps are so that they may correct any issues. Please only use this site on systems where you have explicit written permission to do so. If misused you could get into serious legal trouble. Use at your own risk!

 
  Liability Statement:This site, its owners, creators, and sponsors (referred to as “we”) make this site available as a free public service to make the world a safer and more secure place to do business. We are not responsible for any damage caused by use or misuse.

 

IGNITE
EmailSpoofTest.com is owned and operated by IGNITE Cyber