The Domain Spoofing Test is a free tool that determines if your email address is vulnerable to spoofing. Spoofing is an act of impersonating your own domain when sending emails eg. the "yourorg.com" part of your email address after the @ sign.
Using this test will increase your organisation's awareness by letting you know if your domain is susceptible to spoofing and therefore, vulnerable to CEO fraud and other spear phishing attacks using your domain.
This information can empower you to enhance your internal security measures by training your users to detect spear and other phishing attacks.
How does the Domain Spoofing Test work
To try the domain spoof test for free, use this link.
When you are on the spoofing test page you must:
- Enter your organisation email address*, and not a free account such as Gmail.
- We then create a non-malicious simple email using your own domain, and send this to the address you entered.
- If the email arrives in your Inbox, then your domain can easily be spoofed. If it lands in your Junk/Spam folders then you are most likely safe. You may also receive a non-delivery report if you have measures in place to protect against domain spoofing.
*This service is only to be used by the person in the organisation responsible for email security.
What do I do if I fail a Domain Spoofing Test?
If you have failed a Domain Spoofing Test, we recommend that you implement and verify SPF and train your users with security awareness training to help secure your domain.
What is SPF?
A Sender Policy Framework (SPF) record is a type of Domain Name Service (DNS) TXT record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to detect and prevent malicious actors from sending messages with spoofed "From" addresses on your domain.
To implement and verify SPF:
- Implement SPF. For instructions on implementing SPF, see here.
- Verify that the SPF has been implemented here.
Microsoft has their own version of SPF called “Sender ID”. To configuring Sender ID in Exchange, click the links under the version of Exchange you are using:
- Exchange 2003:
- Exchange 2007:
- Exchange 2010 & 2013:
- Exchange 2013, 2016 & Office 365
For information on making your domain more secure for either Google Apps/GSuite or Barracuda, please see the links below: