Tools by
Get Help


Our Commitment to Security and Trust

At, your privacy and security are paramount. We adhere to industry best practices for data protection and constantly evolve our platform to stay ahead of emerging email spoofing threats. You will not get spam sourced from us.

This site is built with no 3rd party code, ZeroTrust, security first by design.

Join the Fight Against Email Spoofing

Experience the peace of mind that comes with knowing your email security is up to par! By proactively testing your defenses, you can significantly reduce the risk of falling victim to email based attacks.


Built and maintained by the security experts at Ignite Cyber, stands as the only publicly available tool specifically designed to test email spoofing vulnerabilities. While other solutions focus on generic "phish" tests or basic configuration checks for RFC compliance, goes a step further. It simulates real-world phishing attacks by sending carefully crafted fraudulent emails directly to your inbox, replicating the tactics employed by attackers. This unique approach provides a reliable and targeted assessment of your email security posture.

Born out of Extensive Experience:
Ignite Cyber's extensive experience in penetration testing for government agencies and major enterprises revealed a critical gap in email security. Even with systems hardened according to best practices, email configurations often failed to adequately protect user inboxes from fraudulent emails. This highlighted the dependence of email security on several factors:

- The inherent functionality of email vendor controls (which may not always work as intended)
- Necessary DNS changes
- Email server updates and modifications
- Configuration of cloud environments

Given these variables, the need for daily testing of email security controls became readily apparent. Before, pentesters and businesses lacked a reliable solution to answer the critical question: "Do my email security controls effectively block fraudulent spoof emails?"

Traditional email fraud testing relied heavily on open-source tools and involved extensive preparation and customization to build a dedicated test environment. This approach often yielded unreliable results, hindering effective security testing. These challenges led to a widespread neglect of email security controls within the cybersecurity industry, leaving organizations vulnerable to ransomware and malware attacks often initiated through email compromise.

A Global Solution:
Recognizing the global nature of this vulnerability, Ignite Cyber undertook the challenge of creating a tool that not only pinpoints weaknesses in email security controls but also facilitates a safe and effective remediation process - all while being readily accessible to a broad audience.

The big picture of email security

In most successful business attacks, the initial hack to uncover details about the business, steal passwords, or defraud the business, is possible because of misconfigurations within email security. is specifically designed to solve this problem.

Email attack surface management; enables organizations to quickly and privately assess, correct, and validate email security controls that prevent email based attacks. By enabling validation and tuning of fraud controls, makes Email Attack Surface Management possible.

The details of email security

Web Surfing: When you enter a domain name into your broswer to get to a website, the browser asks DNS the location of the web server where the website is running. DNS servers allow web browsers to find web sites.

Email Sending: Much like web surfing, the sending email server finds the receiving email server using an "MX Record" in DNS to find the location of the receiving email server.

Fraud Checking Emails: When an email is received by an email server, it checks the sender email domain in DNS to be sure the sender is an "authorized" sender; by checking the sending domain's DNS for SPF, DMARC, and DKIM. These DNS records tell the receiving email server which email senders are real and to reject or deliver the email accordingly.

If email security controls are configured correctly, fake email is rejected and valid email is delivered. Unfortunately for businesses, most email systems fail to do this properly.

The risks of poor email security

DNS can be seen by everyone; misconfigurations of DNS that cause security holes are used by cyber attackers to target their victims.

Email security products (AI/ML especially) often implemented to protect email users, heavily rely upon these DNS settings to make judgements on good or bad email. SPF, DMARC, and DKIM are standard security controls in every email system designed to prevent scammers from emailing as your employees or partners with "BEC", Whaling", and "Reply-chain" attacks. validates protection from these attacks

Most often, busineses find that these controls do not work as they are supposed to.

Misconfigured DNS is used by attackers to target easy victims.

***Email misconfigurations are often used by cyber insurance providers to deny coverage or deny claims.***

The solution to poor email security answers; "Do my email servers properly follow the standards to reject fake email?" is designed to safely and privately visualize flaws in email security and correct these flaws before attackers find them. is the first and only 100% safe security testing platform that cannot be used to harm anyone or anything. Perfect for students and those who want to learn with confidence!

Click here to visit the Ignite Email Security Blog

Protecting your inbox from deceit is your one-stop shop for proactive email security testing. We empower individuals and organizations to take control of their email defense by providing a user-friendly platform to identify and address email spoofing vulnerabilities.

Be cautious of other tools provided by email security manufacturers. Their business relies on detecting threats AFTER they have hit your inbox. It's often that people pass other tools but score poorly using Think about it; if you stop the attacks BEFORE they hit the inbox, what will be left to do for that over-priced email security solution?

Why Email Security Matters?

Email remains a critical communication channel for businesses and individuals alike. Unfortunately, it's also a prime target for cybercriminals who employ email spoofing to launch sophisticated attacks. Spoofing involves manipulating email headers to make them appear legitimate, often mimicking trusted sources like colleagues, banks, or even government agencies.

The consequences of falling victim to a spoofing attack can be severe, leading to:

Data Breaches: Sensitive information like login credentials or financial data can be stolen.

Financial Losses: Business Email Compromise (BEC) scams, a common form of email spoofing, can result in significant financial losses.

Reputational Damage: Spoofed emails can damage your organization's reputation by eroding trust with customers and partners.

How Helps equips you with the tools to combat email spoofing attempts:

Simulated spoof tests: Send test emails with various spoofing configurations directly to your inbox.

Clear Test Identification: Our test emails are clearly marked to avoid confusion with real phishing attempts.

Detailed Reporting: Gain valuable insights into how your email client or security software handles spoofed emails.

Actionable Recommendations: Based on the test results, we provide clear recommendations to improve your email security posture.

How businesses are using

Penetration testers, Red Teams, and Managed Security Providers use to test and correct email security controls for their customers.

Businesses with compliance needs for ISO, NIST, PCI, HIPAA, BOD 1801 build into continuous monitoring, continuous improvement, and companies with a SOC run our tools daily to ensure ongoing protection.

Continuous improvement -Businesses use to show a trend of consistently checking and improving email security for good cyber-hygiene, due diligence, and reduced cyber-liability.

3rd party risk mandates -Financial institutions use as a 3rd party risk requirement to ensure that business partners are secure from email-based supply-chain attacks.

Change control for email and DNS -Businesses use after changes or updates to an email system or DNS which can cause huge gaps that go unnoticed without testing. Test your controls with to ensure security as part of the change control process.

DNS can expire and change -DNS is often changed by multiple groups within a company causing email security holes that go unnoticed without testing. Also, DNS can expire, changing your environment leaving exposure.

Cloud email changes -IP changes, DNS changes, gateway changes… we find that cloud email environments with shared IP spaces like Gsuite or M365 need the most work out of the box and require ongoing security control validation Email security & detection mechanisms are dynamic and change constantly -this means you need to be checking for the latest BEC and phish-kit attacks often

Compliance & Audit Operating Directives -like BOD 1801, ISO, PCI, HIPAA, NIST… all require validating email security controls by testing with regularly. TOS

By using this site you agree to:

Personal use: Am I protected?
Personal non-business, & educational users use this site to learn about mail systems and set up testing environments. No purchase required.

Business use; Change Control Have my business defenses changed?
Changes to an email environment can leave holes that go unnoticed for years. Businesses use this site to validate controls after a change or update to email or email security. Most test at least once per month for each mail domain and after changes. License purchase is required.

Business use; Penetration Test/ Security Assessments Is my business vulnerable?
Assessing the security posture for inbound mail fraud, spoofing executives, and penetration testing relays are just a few of the ways to use this site to assess and test email infrastructure. License purchase is required.

Business use; Business value, email security efficacy & security software sales Do my customers need help? This site is used to start pre-sales discussions around email security and prove efficacy during proof of concept comparisons. License purchase is required.

Frequently Asked Questions

What is and what is it used for? is the only safe, easy, and private email self-penetration testing platform with tools needed to test and validate the security of any email system.

The concept: is to send yourself phishing & fraud emails using all the possible ways hackers can fake email; to test if an email system will drop the fraud email or allow fraud email in. If you get any of the clearly marked test emails, there are instructions inside with hints on how to correct the configuration.

Why is there a need for

1) We found that even the advanced and carefully configured email security systems have security controls that are misconfigured or the security controls do not work as intended.

2) Ransomware is initialized by email fraud. Stop ransomware at the door by protecting the inbox from fraud.

3) Penetration tests are complicated, expensive, and exposes flaws to a 3rd party. Most penetration tests do not include fraud email testing. empowers businesses to penetration test for email fraud themselves.

I didn't receive any email from, am I safe?

No, the best way to know you are protected is to have your system validated by our team.

Disclaimer: By using this site you are not safer, nor proving you are safe from anything in any way. This is simply a test tool to help you figure out how exposed (not safe) you might be. Sometimes the emails can take a few minutes to get delivered but typically our emails are delivered within 10 minutes. If its slow, its probably you, not us. Our end of the operation is very fast and simple. If this site stops working correctly please let us know If you did not receive any of our emails, this is not an indicator that you are protected. Check SPAM and other protection mechanisms. 

If you received one of our test emails then your systems are very likely vulnerable If you received one of these emails in your SPAM your systems are very likely vulnerable.

What are you doing with my email address?

You will not get spam sourced from us! This site does not sell your email to ad firms that will annoy you later. We don't store it in a database, we just help you test. We run analytics on site traffic and the number of emails tests. We are interested in how valuable the tool is and how we can make it better for you.

If you find this site useful help us out!

The best way to help is to tell your friends and colleagues on social media. Show people how to use this site. Or use the site as a tool in your own consulting practice. Another way to help is feedback! Tell us how to be better.

Finally, a great way to help is to test often. We see you out there and we appreciate you!

What is Spoofing?

Email spoofing is sending an email as someone else in attempt to “phish” or trick someone into thinking the email is from someone it is not. There are a few different methods used;

Spoof name



Impersonated domains


Domain look-alikes

Reverse DNS

Fake domains

Reverse DNS

Impersonation of internal user

Internal Authentication, Internal SPF

Diagnostic Test Email Definitions E1-E10

Email E1 One valid email from to make sure you get our emails (should be deliverd to inbox)

Email E2 One email from a disallowed subdomain of an allowed domain, (should be quarantined by your email servers)

DNS settings for

DMARC = Quarantine | Relaxed SPF | Relaxed DKIM | Reject subdomains
[v=DMARC1; p=quarantine;;; fo=1:d:s; adkim=r; aspf=s; sp=reject]

SPF = Allow included URLs, deny others [v=spf1 -all]

DKIM = email not signed [selector = a1, v=DKIM1; k=rsa; p=ZW1...]

Email E3 One email from a where the policy is to strictly reject all email (should be rejected by your email servers)

Email E4 One email from a subdomain, where the domain policy is set to reject all email (should be rejected by your email servers)

DNS settings for badDMARC:

DMARC = Reject | Strict SPF | Strict DKIM | Reject subdomains
[v=DMARC1; p=reject;;; fo=1:d:s; adkim=s; aspf=s; sp=reject]
SPF = Deny all senders [v=spf1 -all]
DKIM = email not signed [selector = default, v=DKIM1; k=rsa; p=MIIB...]

Email E5 One email from where the policy is to reject email without a DKIM signature (should be rejected by your email servers)

Email E6 One email from a subdomain of where the policy is to require DKIM and reject subdomains (should be rejected by your email servers)

DNS Settings for

DMARC = Reject | Relaxed SPF | Strict DKIM | Reject subdomains
[v=DMARC1; p=reject;;; fo=1:d:s; adkim=s; aspf=r; sp=reject]
SPF = Deny all senders [v=spf1 -all]
DKIM = email not signed [selector = default, v=DKIM1; k=rsa; p=MIIB...]

Email E7 One email from that rejects all email but has no DMARC policy defined (should be rejected by your email servers)

Email E8 One email from a subdomain of that rejects all email but has no DMARC policy defined (should be rejected by your email servers)

DNS Settings for

DMARC = Not configured (Neutral)

SPF = Reject all [v=spf1 -all]

DKIM = email not signed (Selector = default) [selector = default, v=DKIM1; k=rsa; p=MIIB...]

Email E9 One email from your sending email address (should be rejected by your email servers and your DMARC monitoring should raise an alert). This tests spoofing internal mail from the outside. It sends a mail from you to you but from our servers. If internal authentication is properly set this email should not get to your inbox. 

Email E10 One email from a domain that does not exist (should not deliver to inbox). This test is sent from a non-existing domain "". If this email gets to your inbox or junkmail your email system accepts email from nonexisting domains.


---ads by google---


---ads by google---


---ads by google---