--- Updated: 1/13/2021  -   Test   -   Spoof Score Card   -   Email Security Report   -   Pen-Test Tool Report   -   Frequently Asked Questions   -   Help ---
EmailSpoofTest.com Frequently Asked Questions
and help
HELP
   

 


Selecting an email security solution? See the 2020 Email Security Report


How to use this site


What is emailSpoofTest.com and what is it used for?

EmailSpoofTest.com is the only safe, easy, and private email self-penetration testing platform with everything you need to test and validate the security of any email system.

The concept: is to send yourself phishing & fraud emails using all the possible ways hackers can fake email; to test if an email system will drop the fraud email or allow fraud email in. If you get any of the clearly marked test emails, there are instructions inside with hints on how to correct the configuration.

 

Why is there a need for emailSpoofTest.com?

  1. We found that even the advanced and carefully configured email security systems have security controls that are misconfigured or simply do not work

  2. Ransomware is initialized by email fraud

  3. Penetration tests are complicated, expensive, and exposes flaws to a 3rd party

 

 

Why is emailSpoofTest.com free?

It's not. It has a cost of course but we decided that the global ransomware problem was important enough to get the word out first and then see who will jump in and help.

 

I didn't receive any email from emailSpoofTest.com, am I safe?

No, the best way to know you are protected is to have your system validated by our team.

Disclaimer: By using this site you are not safer, nor proving you are safe from anything in any way. This is simply a test tool to help you figure out how exposed (not safe) you might be. Sometimes the emails can take a few minutes to get delivered but typically our emails are delivered within 10 minutes. If its slow, its probably you, not us. Our end of the operation is very fast and simple. If this site stops working correctly please
let us know. If you did not receive any of our emails, this is not an indicator that you are protected. Check SPAM and other protection mechanisms. 

If you received one of our test emails then your systems are very likely vulnerable. If you received one of these emails in your SPAM your systems are very likely vulnerable.


 

What are you doing with my email address?

You will not get spam sourced from us! This site does not sell your email to ad firms that will annoy you later. We don't store it in a database, we just help you test. We run analytics on site traffic and the number of emails tests. We are interested in how valuable the tool is and how we can make it better for you. We hope to use this data to attract better paying advertisers. This site is not for profit, it's just here to help the security community.

 

If you find this site useful help us out!

The best way to help is to tell your friends and colleagues on social media. Show people how to use this site. Or use the site as a tool in your own consulting practice. Another way to help is feedback! Tell us how to be better. Use the form below.  

Finally, a great way to help is to test often. We see you out there and we appreciate you!

 

 

 

What is Spoofing?

Email spoofing is sending an email as someone else in attempt to “phish” or trick someone into thinking the email is from someone it is not. There are a few different methods used; 

“Spoof” name

Example

Prevention

Impersonated domains

jim@facebook.com


SPF, DKIM

Domain look-alikes

jim@facedook.com


Reverse DNS

Fake domains

jim@notarealdomain.com


Reverse DNS

Impersonation of internal user

jim@yourcompany.com

Internal Authentication, Internal SPF

 

---ads by google---




I received one or more emails from emailSpoofTest.com, what is my exposure?
 


The security exposure is shown below:

 

Email Received

Prevention

Exposure

Emails E2, E4, E6, E8
  • DMARC = Qurantine | Relaxed SPF | Relaxed DKIM  [v=DMARC1; p=quarantine; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=r; aspf=s; sp=reject]
  • SPF = Allow subnet, deny others  [v=spf1 ip4:72.167.234.1/16 -all]
  • DKIM = email not signed [selector = a1, v=DKIM1; k=rsa; p=ZW1...]
Subdomain enforcement If you received email 0a the someone could impersonate a subdomain (email@subdomain.securebank.com) of a moderately protected firm. 1a, 2a, and 3a check for subdomain rejection of their respective configurations.

Email E3 - DMARC set for strict SPF alignment but SPF is set to deny all

  • DMARC = Reject | Strict SPF | Strict DKIM  [v=DMARC1; p=reject; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=s; aspf=s; sp=reject]
  • SPF = Deny all senders  [v=spf1 -all]
  • DKIM = email not signed [selector = default, v=DKIM1; k=rsa; p=MIIB...]

 

DMARC alignment with SPF

If you received “Email 1” your email system does not protect you from forged emails from any other sites with very good anti-fraud defenses in place. Sites could email you impersonating any site on the web.


Email E5 - DMARC set for strict DKIM alignment but enmail is not DKIM signed

  • DMARC = Reject | Relaxed SPF | Strict DKIM [v=DMARC1; p=reject; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=s; aspf=r; sp=reject]
  • SPF = Not configured (Neutral)
  • DKIM = email not signed (Selector = default) [selector = default, v=DKIM1; k=rsa; p=MIIB...]

DKIM enforcement via DMARC

If you received “Email 2” your email system does not protect you from impersonation of sites that only DKIM sign their emails. Someone could forge an email in this manner and send it to you without a DKIM signature and your users would likely never know.


Email E7 – SPF set to reject all, DMARC set to none

  • DMARC = None | Strict SPF | Relaxed DKIM [v=DMARC1; p=none; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=r; aspf=s; sp=reject]
  • SPF = Reject all [v=spf1 -all]
  • DKIM = email not signed (Selector = default) selector = default, v=DKIM1; k=rsa; p=MIIB...]

SPF enforcement

If you received “Email 3” your email system does not protect you from email coming from fake senders. Anyone can send mail to you as anyone.


Email E9 -email from you, to you

Internal Authentication, Internal SPF enforcement

If you received “Email 4” your email system does not protect you from an outside entity impersonating a user internal to your company.


Email E10 -invalid domain name, no SPF, no DKIM

Reverse DNS lookups on email

If you received “Email 5” your email system does not protect you from “look-alike” or non-existent domains.



*Note: The tests performed by emailSpoofTest.com are not "all inclusive" and only represent some of the common mis-configurations possible with email. This site makes no guarantees or promises of any type!

---ads by google---


 
  To identify connection level security gaps; Enter your email address into the box above and click the "Test My Email Security" button. This site will send you 10 fraudulent (spoofed) emails to test your email system's ability to detect falsely forged or spoofed email.

 
 
 
Email 1 is a clean passing email from emailspooftest.com.

Email 2 is from a disallowed subdomain of emailspooftest.com. You should not get email 0a.
Severity: Critical

DNS settings for emailSpoofTest.com

  • DMARC = Quarantine | Relaxed SPF | Relaxed DKIM  [v=DMARC1; p=quarantine; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=r; aspf=s; sp=reject]
  • SPF = Allow MX, deny others  [v=spf1 mx include:secureserver.net -all]
  • DKIM = email not signed [selector = a1, v=DKIM1; k=rsa; p=ZW1...]

    *common scenario for businesses that are using all anti-fraud measures
Fix: set your inbound email inspection servers to check DMARC for subdomains
 

Email 3 is from badDMARC.com and checks if DMARC, SPF, and DKIM protections are protecting you from emails that impersonate the most secure firms like banks or governments. 

Email 4 is from a subdomain of this domain.

BadDMARC.com email test simulates spoofing a domain fully leveraging anti-fraud protection; strict SPF, strict DKIM, requiring DMARC alignemnt. If SPF, DKIM, and DMARC protections are working on your mail servers this email should not get to your inbox or spam.
Severity: Critical

DNS settings for badDMARC.com

  • DMARC = Reject | Strict SPF | Strict DKIM  [v=DMARC1; p=reject; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=s; aspf=s; sp=reject]
  • SPF = Deny all senders  [v=spf1 -all]
  • DKIM = email not signed [selector = default, v=DKIM1; k=rsa; p=MIIB...]

    *common scenario for businesses that are using all anti-fraud measures

Fix: Turn on DMARC alignment controls for your inbound email inspection gateways.

 

 

Email E5 is from badDKIM.com and checks DKIM enforcement to simulate spoofing an email that only relies on DMARC alignment of DKIM for anti-fraud. If DKIM and DMARC protections are enforced (required in high security environments) this email should not get to your inbox or spam. Use this to test email security policy by adding this to your "Force DKIM" policy. 

Email E6 is from a subdomain of this domain.
Severity: Moderate

DNS settings for badDKIM.com

  • DMARC = Reject | Relaxed SPF | Strict DKIM [v=DMARC1; p=reject; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=s; aspf=r; sp=reject]
  • SPF = Not configured (Neutral)
  • DKIM = email not signed (Selector = default) [selector = default, v=DKIM1; k=rsa; p=MIIB...]

    *common scenario for businesses that cannot implement SPF due to email complexity

Fix: On your inbound email inspection gateways set DMARC alignment for DKIM restrictions to deny email without a DKIM signature for domains that require DKIM via DMARC.

 

 

Email 7 is from badSPF.com which simulates spoofing an email from a disallowed mail server. If SPF protections are working properly this email should not get to your inbox or spam.

Email E8 is a subdomain of this domain.
Severity: High

DNS settings for badSPF.com

  • DMARC = None | Strict SPF | Relaxed DKIM [v=DMARC1; p=none; rua=mailto:email@emailspooftest.com; ruf=mailto:email@emailspooftest.com; fo=1:d:s; adkim=r; aspf=s; sp=reject]
  • SPF = Reject all [v=spf1 -all]
  • DKIM = email not signed (Selector = default) selector = default, v=DKIM1; k=rsa; p=MIIB...]

    *common scenario for businesses that cannot implement DKIM on every email or only have SPF configured

Fix: Set your email inspection gateways to reject email from servers that fail SPF checks. In some systems the setting may be enabled but the emails are not rejected, in about %40 of the inspection gateways we notice you may need to toggle the setting to get it to work. Always test security!

 

  Email E9 tests spoofing internal mail from the outside. It sends a mail from you to you but from our servers. If internal authentication is properly set this email should not get to your inbox. 
Severity: Critical

Fix: On your inbound email gateways, only allow specific IP addresses to send mail from internal domains. This is typically a "relay" setting. 

 
Email E10 is sent from a non-existing domain "garbage000f.com". If this email gets to your inbox your email system does not perform reverse DNS lookups.
Severity: Critical

Fix: On your inbound email gateways,
enable DNS lookups. Tip: If you host your own gateways make sure you have enough resources, test first.
 

 
EmailSpoofTest creator Chuck Sirois:
Phish in a Barrel, How email threats work
 
EmailSpoofTest creator Chuck Sirois:
Cyber Security CPU micro-architecture

 
 


 
     
 
 

     
     
 

---ads by google---


 
     
 
We help small business & large enterprises secure email!


EmailSpoofTest.com Offerings Menu
 
 

 

The Details

(free)

Understand EmailSpoofTest.com results & tests by reaching out to us.

It's fast, easy, and free!

 
 

 

*

 

Quick Secure

(starting at 4 service hours at $400-$1200 USD)

Align with: US Department of Homeland Security, Binding Operational Directive 18-01

DHS BOD 18-01

Use this service to pass the EmailSpoofTest.com audits and also leverage email security experts to perform advanced fraud analysis.

Great for firms that are having problems passing the tests on this site. Every firm that has email should pass the emailSpoofTest.com automatic fraud tests. US Federal organizations and businesses that support federal agencies will need to comply with DHS BOD 18-01 by passing the tests on this site. Agencies can use this "Quick Secure" service to become compliant.

Email security controls that should be in place today and checked often; Quick Secure should be done monthly for State/ Local & Federal Agencies.

Validate standard email security controls with Quick Secure; where, email security experts help get your email to the latest secure standard.

 

Get Quick Secure now

 

 
 

 

*

 

Ransomware Lockdown & Control Validation

(starting at 20 service hours $2000-$4000 USD)

Prepare for attack!

Align with: NIST, SANS, MITRE ATT&K, DISA

This lockdown is great for high-security and federal agencies that are likely targets for ransomware.

Ransomware Lockdown & Control Validation includes an email environment analysis from the inside and as an outside threat. Defenses, access controls, user preparation, and ability to respond to the unexpected are evaluated and adjustments implemented to ensure system availability and privacy.

These are security validations that should happen quarterly.

An official "EmailSpoofTest.com seal of Trustworthiness" which can be added to the footer of organizational email with successful completion of this program.

seal

Get Lockdown now

 
 

 

*

 

Email DLP Validation

(starting at 8 service hours $800-$1600 USD)

Secure data!

Align with: PCI, HIPAA, SOX, GDPR, CCPA

Great for hospitals, banks, and insurance carriers to protect data in email and comply with common data privacy standards.

It is recommended and standard practice to validate DLP controls monthly for PCI and HIPAA compliant businesses.

An official "DataLeakTest.com seal of Data Protection" can be added to the footer of organizational email with successful completion of this program.

seal

Get DLP validation now

 
 


***

Full-service email infrastructure and security offerings
Please use the contact form below for any of the following services;
 
 

 

Email Solutions & Services for cloud & on-prem

Email, communications & office services 

 
  • Selecting a cloud email service provider (SaaS, IaaS)

  • Cloud Migrations and Hybrid

 
 
 

 

Email Security

Secure Email Gateway (SEG) selection

 
  • SEG upkeep services 

    • Security assessments

    • Selecting on-premise email solutions

    • Security tuning

      • 24x7 advanced fraud monitoring

  • Implementation services

  • Email security solution selection

 
 
 

 

User Training

Phishing training solution selection;

 
  • End user training programs

  • Implementation services

 
 
 

 

Email DLP

Email & Enterprise DLP (Data Loss Prevention/Protection)

 
  • on-prem

  • cloud

  • hybrid

 
 
 

 

Managed Email Security

 

Managed phishing and fraud protection

Managed phishing training

Managed cloud & on-prem email deployments

Managed email compliance

Managed email security

Managed cloud & on-prem DLP

 
 
 

 

Engineering Services
 

Email Anti-Fraud (spam & malware)

Product implementation services

Product tuning and management

 

 
 

 

Strategy Services

 

Risk  Strategy alignment

3rd party risk & validation

 
 

 

Custom Services

 

VIP Security services - Dark web monitoring

Penetration Testing (breach assessment)

Systems hardening

Hacking, reversing, fuzzing, and non-traditional security control testing

 
 
Endpoint Threat Defense & Ransomware Prevention
 

 

 

 
         Expert email security help! Contact us instantly.

 

 

Have email security questions? Want expert advice? Just want to say hello or give suggestions?

Please use the form to instantly message our team.
Name:  
Email:  
Phone:  
Message:


 




IGNITE
EmailSpoofTest.com is owned and operated by IGNITE Cyber 2020