Email security testing and monitoring information

Auditors, red-teamers & pentesters, email admins, security pros, analysts, engineers, students, advanced email security masters, general IT admins, or if you are just beginning your email security journey, emailSpoofTest.com is for you!

This site validates email security for more than 500 businesses each month, (see our stats here)

Almost every company, including defense agencies have severe deficiencies and misconfigurations in email security.

Most penetration and assessment companies overlook email security because of the lack of tools and limited capability.

Shared/ cloud environments worsens the email security issues at large scale.

Most ransomware infections start with a fraud email that should have not been delivered.

"I have email security and spam solutions, I'm protected right?"

False! Most businesses only think they are protected from phishing and have no way to test and truly determine exposure.

Email security controls often do not function as intended.

Currently, the only way to know is to test at emailspooftest.com

There are 2 types of email security defenses

1) Anti-Fraud controls -is the email fake? Should it be delivered?

2) Payload protection -does email contain malware or bad links?

Before emailspooftest.com there were only basic tools and a mix of open-source freeware that required a master of email security to piece together and operate.
Now you can test, configure and maintain any email system with emailspooftest.com

Our phishing store at

What is Spoofing?

Email spoofing is sending an email as someone else in attempt to “phish” or trick someone into thinking the email is from someone it is not. There are a few different methods used; 

Frequently Asked Questions... with answers!

What is emailSpoofTest.com and what is it used for?

EmailSpoofTest.com is the only safe, easy, and private email self-penetration testing platform with tools needed to test and validate the security of any email system.

The concept: is to send yourself phishing & fraud emails using all the possible ways hackers can fake email; to test if an email system will drop the fraud email or allow fraud email in. If you get any of the clearly marked test emails, there are instructions inside with hints on how to correct the configuration.

Why is there a need for emailSpoofTest.com?

We found that even the advanced and carefully configured email security systems have security controls that are misconfigured or simply do not work

Ransomware is initialized by email fraud

Penetration tests are complicated, expensive, and exposes flaws to a 3rd party

What are you doing with my email address?

How businesses are using EmailSpoofTest.com...

Penetration testers, Red Teams, and Managed Security Providers use EmailSpoofTest.com to test and correct email security controls for their customers.

Businesses with compliance needs for ISO, NIST, PCI, HIPAA, BOD 1801 build EmailSpoofTest.com into continuous monitoring, continuous improvement, and companies with a SOC run our tools daily to ensure ongoing protection.

EmailSpoofTest.com Use-Cases

Personal use Am I protected?

Personal non-business, & educational users use this site to learn about mail systems and set up testing environments. No advance mode license required.

Business use; Change Control Have my business defenses changed?

Changes to an email environment can leave holes that go unnoticed for years. Businesses use this site to validate controls after a change or update to email or email security. Most test at least once per month for each mail domain and after changes. Advanced license is required.

Business use; Business value, email security efficacy & security software sales Do my customers need help?

DNS settings for emailSpoofTest.com

Email 3 is from badDMARC.com and checks if DMARC, SPF, and DKIM protections are protecting you from emails that impersonate the most secure firms like banks or governments. 

Email 4 is from a subdomain of badDMARC.com.

BadDMARC.com email test simulates spoofing a domain fully leveraging anti-fraud protection; strict SPF, strict DKIM, requiring DMARC alignemnt. If SPF, DKIM, and DMARC protections are working on your mail servers this email should not get to your inbox or spam.
Severity: Critical

DNS settings for badDMARC.com

Fix: Turn on DMARC alignment controls for your inbound email inspection gateways.

Email E5 is from badDKIM.com and checks DKIM enforcement to simulate spoofing an email that only relies on DMARC alignment of DKIM for anti-fraud. If DKIM and DMARC protections are enforced (required in high security environments) this email should not get to your inbox or spam. Use this to test email security policy by adding this to your "Force DKIM" policy. 

Email E6 is from a subdomain of badDKIM.com.
Severity: Moderate

DNS settings for badDKIM.com

Fix: On your inbound email inspection gateways set DMARC alignment for DKIM restrictions to deny email without a DKIM signature for domains that require DKIM via DMARC.

Email 7 is from badSPF.com which simulates spoofing an email from a disallowed mail server. If SPF protections are working properly this email should not get to your inbox or spam.

Email E8 is a subdomain of badSPF.com.
Severity: High

DNS settings for badSPF.com

Fix: Set your email inspection gateways to reject email from servers that fail SPF checks. In some systems the setting may be enabled but the emails are not rejected, in about %40 of the inspection gateways we notice you may need to toggle the setting to get it to work. Always test security!