Created by
Contact us
Need some help?
Free Email Help
*Scheduled session*
*Email experts*
No credit card needed
Used all your tests?
Try 30 days Free
*Unlimited Testing*
*Advanced Tools*
No credit card needed

Click here to visit the Email Security Blog

The big picture of email security

In most successful business attacks, the initial hack to uncover details about the business, steal passwords, or defraud the business, is because of misconfigurations within email security. is specifically designed to solve this problem.

Email attack surface management; enables organizations to quickly and privately assess, correct, and validate email security controls that prevent email based attacks. By enabling validation and tuning of fraud controls, makes Email Attack Surface Management possible.

The details of email security

Web Surfing: When you enter a domain name into your broswer to get to a website, the browser asks DNS the location of the web server where the website is running. DNS servers allow web browsers to find web sites.

Email Sending: Much like web surfing, the sending email server finds the receiving email server using an "MX Record" in DNS to find the location of ther receiving email server to send the email to.

Fraud Checking Emails: When an email is received by an email server, it checks the sender email domain in DNS to be sure the sender is an "authorized" sender; by checking the sending domain's DNS for SPF, DMARC, and DKIM.

If email security controls are configured correctly, fake email is rejected and valid email is delivered.

The risks of poor email security

DNS can be seen by everyone; misconfigurations of DNS that cause security holes are used by cyber attackers to target their victims.

Email security products (AI/ML especially) often implemented to protect email users, heavily rely upon these DNS settings to make judgements on good or bad email. SPF, DMARC, and DKIM are standard security controls in every email system designed to prevent scammers from emailing as your employees or partners with "BEC", Whaling", and "Reply-chain" attacks. validates protection from these attacks

Most often, busineses find that these controls do not work as they are supposed to.

Misconfigured DNS is used by attackers to target easy victims.

***Email misconfigurations are often used by cyber insurance providers to deny coverage or deny claims.***

The solution to poor email security answers; "Do my email servers properly follow the standards to reject fake email?" is designed to safely and privately visualize flaws in email security and correct these flaws before attackers find them. is the first and only 100% safe security testing platform that cannot be used to harm anyone or anything. Perfect for students and those who want to learn with confidence!

Fractional CISO's overview of

What is Spoofing?

Email spoofing is sending an email as someone else in attempt to “phish” or trick someone into thinking the email is from someone it is not. There are a few different methods used;

“Spoof” name



Impersonated domains


Domain look-alikes

Reverse DNS

Fake domains

Reverse DNS

Impersonation of internal user

Internal Authentication, Internal SPF

Frequently Asked Questions... with answers!

What is and what is it used for? is the only safe, easy, and private email self-penetration testing platform with tools needed to test and validate the security of any email system.

The concept: is to send yourself phishing & fraud emails using all the possible ways hackers can fake email; to test if an email system will drop the fraud email or allow fraud email in. If you get any of the clearly marked test emails, there are instructions inside with hints on how to correct the configuration.

Why is there a need for

1) We found that even the advanced and carefully configured email security systems have security controls that are misconfigured or the security controls do not work as intended.

2) Ransomware is initialized by email fraud. Stop ransomware at the door by protecting the inbox from fraud.

3) Penetration tests are complicated, expensive, and exposes flaws to a 3rd party. Most penetration tests do not include fraud email testing. empowers businesses to penetration test for email fraud themselves.

I didn't receive any email from, am I safe?

No, the best way to know you are protected is to have your system validated by our team.

Disclaimer: By using this site you are not safer, nor proving you are safe from anything in any way. This is simply a test tool to help you figure out how exposed (not safe) you might be. Sometimes the emails can take a few minutes to get delivered but typically our emails are delivered within 10 minutes. If its slow, its probably you, not us. Our end of the operation is very fast and simple. If this site stops working correctly please let us know If you did not receive any of our emails, this is not an indicator that you are protected. Check SPAM and other protection mechanisms. 

If you received one of our test emails then your systems are very likely vulnerable If you received one of these emails in your SPAM your systems are very likely vulnerable.

What are you doing with my email address?

You will not get spam sourced from us! This site does not sell your email to ad firms that will annoy you later. We don't store it in a database, we just help you test. We run analytics on site traffic and the number of emails tests. We are interested in how valuable the tool is and how we can make it better for you.

If you find this site useful help us out!

The best way to help is to tell your friends and colleagues on social media. Show people how to use this site. Or use the site as a tool in your own consulting practice. Another way to help is feedback! Tell us how to be better.

Finally, a great way to help is to test often. We see you out there and we appreciate you!

Diagnostic Test Email Definitions E1-E10

Email E1 One valid email from to make sure you get our emails (should be deliverd to inbox)

Email E2 One email from a disallowed subdomain of an allowed domain, (should be quarantined by your email servers)

DNS settings for

DMARC = Quarantine | Relaxed SPF | Relaxed DKIM | Reject subdomains
[v=DMARC1; p=quarantine;;; fo=1:d:s; adkim=r; aspf=s; sp=reject]

SPF = Allow included URLs, deny others [v=spf1 -all]

DKIM = email not signed [selector = a1, v=DKIM1; k=rsa; p=ZW1...]

Email E3 One email from a where the policy is to strictly reject all email (should be rejected by your email servers)

Email E4 One email from a subdomain, where the domain policy is set to reject all email (should be rejected by your email servers)

DNS settings for badDMARC:

DMARC = Reject | Strict SPF | Strict DKIM | Reject subdomains
[v=DMARC1; p=reject;;; fo=1:d:s; adkim=s; aspf=s; sp=reject]
SPF = Deny all senders [v=spf1 -all]
DKIM = email not signed [selector = default, v=DKIM1; k=rsa; p=MIIB...]

Email E5 One email from where the policy is to reject email without a DKIM signature (should be rejected by your email servers)

Email E6 One email from a subdomain of where the policy is to require DKIM and reject subdomains (should be rejected by your email servers)

DNS Settings for

DMARC = Reject | Relaxed SPF | Strict DKIM | Reject subdomains
[v=DMARC1; p=reject;;; fo=1:d:s; adkim=s; aspf=r; sp=reject]
SPF = Deny all senders [v=spf1 -all]
DKIM = email not signed [selector = default, v=DKIM1; k=rsa; p=MIIB...]

Email E7 One email from that rejects all email but has no DMARC policy defined (should be rejected by your email servers)

Email E8 One email from a subdomain of that rejects all email but has no DMARC policy defined (should be rejected by your email servers)

DNS Settings for

DMARC = Not configured (Neutral)

SPF = Reject all [v=spf1 -all]

DKIM = email not signed (Selector = default) [selector = default, v=DKIM1; k=rsa; p=MIIB...]

Email E9 One email from your sending email address (should be rejected by your email servers and your DMARC monitoring should raise an alert). This tests spoofing internal mail from the outside. It sends a mail from you to you but from our servers. If internal authentication is properly set this email should not get to your inbox. 

Email E10 One email from a domain that does not exist (should not deliver to inbox). This test is sent from a non-existing domain "". If this email gets to your inbox or junkmail your email system accepts email from nonexisting domains.


---ads by google---


---ads by google---


---ads by google---