Email security testing and monitoring information
Auditors, red-teamers & pentesters, email admins, security pros, analysts, engineers, students, advanced email security masters, general IT admins, or if you are just beginning your email security journey, emailSpoofTest.com is for you!
This site validates email security for more than 500 businesses each month, (see our stats here)
Almost every company, including defense agencies have severe deficiencies and misconfigurations in email security.
Most penetration and assessment companies overlook email security because of the lack of tools and limited capability.
Shared/ cloud environments worsens the email security issues at large scale.
Most ransomware infections start with a fraud email that should have not been delivered.
"I have email security and spam solutions, I'm protected right?"
False! Most businesses only think they are protected from phishing and have no way to test and truly determine exposure.
Email security controls often do not function as intended.
Currently, the only way to know is to test at emailspooftest.com
There are 2 types of email security defenses
1) Anti-Fraud controls -is the email fake? Should it be delivered?
2) Payload protection -does email contain malware or bad links?
People only click malicious email if the email is delivered and the user is tricked via fraud.
Most firms and solutions focus on payload protections only, leaving large holes in email security that can go unnoticed for years.
Before emailspooftest.com there were only basic tools
and a mix of
open-source freeware that required a master of email security to piece
together and operate.
Email security control matrix
Compare email security solution
capabilites to match the gaps you find in testing
Email security test tool matrix
|Compare email security testing and auditing tool capabilities|
What is Spoofing?
Email spoofing is sending an email as someone else in attempt to “phish” or trick someone into thinking the email is from someone it is not. There are a few different methods used;
Frequently Asked Questions... with answers!
What is emailSpoofTest.com and what is it used for?
EmailSpoofTest.com is the only safe, easy, and private email self-penetration testing platform with tools needed to test and validate the security of any email system.
The concept: is to send yourself phishing & fraud emails using all the possible ways hackers can fake email; to test if an email system will drop the fraud email or allow fraud email in. If you get any of the clearly marked test emails, there are instructions inside with hints on how to correct the configuration.
Why is there a need for emailSpoofTest.com?
We found that even the advanced and carefully configured email security systems have security controls that are misconfigured or simply do not work
Ransomware is initialized by email fraud
Penetration tests are complicated, expensive, and exposes flaws to a 3rd party
I didn't receive any email from emailSpoofTest.com, am I safe?
No, the best way to know you are protected is to have your system validated by our team.
Disclaimer: By using this site you are not safer, nor proving you are safe from anything in any way. This is simply a test tool to help you figure out how exposed (not safe) you might be. Sometimes the emails can take a few minutes to get delivered but typically our emails are delivered within 10 minutes. If its slow, its probably you, not us. Our end of the operation is very fast and simple. If this site stops working correctly please let us know. If you did not receive any of our emails, this is not an indicator that you are protected. Check SPAM and other protection mechanisms.
If you received one of our test emails then your systems are very likely vulnerable. If you received one of these emails in your SPAM your systems are very likely vulnerable.
You will not get spam sourced from us! This site does not sell your email to ad firms that will annoy you later. We don't store it in a database, we just help you test. We run analytics on site traffic and the number of emails tests. We are interested in how valuable the tool is and how we can make it better for you.
If you find this site useful help us out!
The best way to help is to tell your friends and colleagues on social media. Show people how to use this site. Or use the site as a tool in your own consulting practice. Another way to help is feedback! Tell us how to be better. Use the form below.
Finally, a great way to help is to test often. We see you out there and we appreciate you!
How businesses are using EmailSpoofTest.com...
Penetration testers, Red Teams, and Managed Security Providers use EmailSpoofTest.com to test and correct email security controls for their customers.
Businesses with compliance needs for ISO, NIST, PCI, HIPAA, BOD 1801 build EmailSpoofTest.com into continuous monitoring, continuous improvement, and companies with a SOC run our tools daily to ensure ongoing protection.
Continuous improvement -Businesses use EmailSpoofTest.com to show a trend of consistently checking and improving email security for good cyber-hygiene, due diligence, and reduced cyber-liability.
3rd party risk mandates -Financial institutions use EmailSpoofTest.com as a 3rd party risk requirement to ensure that business partners are secure from email-based supply-chain attacks.
Change control for email and DNS -Businesses use EmailSpoofTest.com after changes or updates to an email system or DNS which can cause huge gaps that go unnoticed without testing. Test your controls with EmailSpoofTest.com to ensure security as part of the change control process.
DNS can expire and change -DNS is often changed by multiple groups within a company causing email security holes that go unnoticed without testing. Also, DNS can expire, changing your environment leaving exposure.
Cloud email changes -IP changes, DNS changes, gateway changes… we find that cloud email environments with shared IP spaces like Gsuite or M365 need the most work out of the box and require ongoing security control validation
Email security & detection mechanisms are dynamic and change constantly -this means you need to be checking for the latest BEC and phish-kit attacks often
Compliance & Audit Operating Directives -like BOD 1801, ISO, PCI, HIPAA, NIST… all require validating email security controls by testing with EmailSpoofTest.com regularly.
Personal use Am I protected?
Personal non-business, & educational users use this site to learn about mail systems and set up testing environments. No advance mode license required.
Business use; Change Control Have my business defenses changed?
Changes to an email environment can leave holes that go unnoticed for years. Businesses use this site to validate controls after a change or update to email or email security. Most test at least once per month for each mail domain and after changes. Advanced license is required.
Business use; Penetration Test/ Security Assessments Is my business vulnerable?
Assessing the security posture for inbound mail fraud, spoofing executives, and penetration testing relays are just a few of the ways to use this site to assess and test email infrastructure. Advanced license is required.
This site is used to start pre-sales discussions around email security and prove efficacy during proof of concept comparisons. Advanced license is required.
Expert security help!
or email: email@example.com
Email 1 is a clean passing email from emailspooftest.com.
Email 2 is from a disallowed subdomain of emailspooftest.com. You should not get email 0a.
DNS settings for emailSpoofTest.comDMARC = Quarantine | Relaxed SPF | Relaxed DKIM [v=DMARC1; p=quarantine; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; fo=1:d:s; adkim=r; aspf=s; sp=reject] SPF = Allow MX, deny others [v=spf1 mx include:secureserver.net -all] DKIM = email not signed [selector = a1, v=DKIM1; k=rsa; p=ZW1...]
*common scenario for businesses that are using all anti-fraud measures Fix: set your inbound email inspection servers to check DMARC for subdomains
Email 3 is from badDMARC.com and checks if DMARC, SPF, and DKIM protections are protecting you from emails that impersonate the most secure firms like banks or governments.
Email 4 is from a subdomain of badDMARC.com.
email test simulates spoofing a domain fully leveraging anti-fraud
protection; strict SPF, strict DKIM, requiring DMARC alignemnt. If SPF, DKIM, and DMARC protections are working on your mail servers this email should not get to your inbox
DNS settings for badDMARC.comDMARC = Reject | Strict SPF | Strict DKIM [v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; fo=1:d:s; adkim=s; aspf=s; sp=reject] SPF = Deny all senders [v=spf1 -all] DKIM = email not signed [selector = default, v=DKIM1; k=rsa; p=MIIB...]
*common scenario for businesses that are using all anti-fraud measures
Fix: Turn on DMARC alignment controls for your inbound email inspection gateways.
Email E5 is from badDKIM.com and checks DKIM enforcement to simulate spoofing an email that only relies on DMARC alignment of DKIM for anti-fraud. If DKIM and DMARC protections are enforced (required in high security environments) this email should not get to your inbox or spam. Use this to test email security policy by adding this to your "Force DKIM" policy.
is from a subdomain of badDKIM.com.
DNS settings for badDKIM.comDMARC = Reject | Relaxed SPF | Strict DKIM [v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; fo=1:d:s; adkim=s; aspf=r; sp=reject] SPF = Not configured (Neutral) DKIM = email not signed (Selector = default) [selector = default, v=DKIM1; k=rsa; p=MIIB...]
*common scenario for businesses that cannot implement SPF due to email complexity
Fix: On your inbound email inspection gateways set DMARC alignment for DKIM restrictions to deny email without a DKIM signature for domains that require DKIM via DMARC.
Email 7 is from badSPF.com which simulates spoofing an email from a disallowed mail server. If SPF protections are working properly this email should not get to your inbox or spam.
is a subdomain of badSPF.com.
DNS settings for badSPF.comDMARC = None | Strict SPF | Relaxed DKIM [v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; fo=1:d:s; adkim=r; aspf=s; sp=reject] SPF = Reject all [v=spf1 -all] DKIM = email not signed (Selector = default) selector = default, v=DKIM1; k=rsa; p=MIIB...]
*common scenario for businesses that cannot implement DKIM on every email or only have SPF configured
Fix: Set your email inspection gateways to reject email from servers that fail SPF checks. In some systems the setting may be enabled but the emails are not rejected, in about %40 of the inspection gateways we notice you may need to toggle the setting to get it to work. Always test security!
E9 tests spoofing internal mail from the outside. It sends a mail from you to you
but from our servers. If internal authentication is properly set this email should not get to your inbox.
Fix: On your inbound email gateways, only allow specific IP addresses to send mail from internal domains. This is typically a "relay" setting.
E10 is sent from a non-existing domain "garbage000f.com". If this email gets to your inbox your email system does not perform reverse DNS lookups.
Fix: On your inbound email gateways, enable DNS lookups. Tip: If you host your own gateways make sure you have enough resources, test first.