Your email provider runs the equivalent of a border checkpoint. It must do this to filter the real emails from the malicious ones. Every person (message) that wants to enter the country (server) must have its documentation in order. One of the best ways through for a malicious actor? Spoofed documentation (email spoofing).
Email spoofing is one of the most common ways attackers bypass an email server’s built-in security controls. Plus, spoofed emails are often more effective in enticing users to click. After all, an email that looks like it’s from the company CEO is pretty convincing!
That’s why it’s incredibly important to configure email security settings to stop these attacks before they land in the inbox. We’ve found EmailSpoofTest to be a useful tool for achieving just that.
What is EmailSpoofTest?
EmailSpoofTest.com is a dead-simple email penetration testing tool, just enter the email address you want to test and the tool sends it 10 different emails. Each of the emails is configured to test a different element of your email host’s settings and ability to catch spoofed emails.
Ideally, you should only receive Email 1 – the correctly configured email. Unfortunately, it’s far more likely that you will receive at least a few of the spoofed emails.
At least these emails come with an all-caps warning: “YOU SHOULD NEVER RECEIVE THIS EMAIL!”
If only ALL email spammers would be so kind to let you know that!
Emails 2 through 10 also have a brief description about the security vulnerability present in your email system. The test emails the program sends are as follows:
- Email 1: Correctly Configured Email
- Email 2: Disallowed Subdomain Test
- Email 3: Strict DMARC Reject All
- Email 4: Strict DMARC Reject All; Reject Subdomains
- Email 5: Strict DKIM Alignment
- Email 6: Strict DKIM Alignment; Reject Subdomains
- Email 7: SPF Reject All
- Email 8: SPF Reject All; Reject Subdomains
- Email 9: Internal Authentication
- Email 10: Reverse DNS
If any of these get through, you have an email security problem, and fixing these types of problems is not for the faint of heart! Correcting the issues is definitely a task you’ll want to hand off to your email security person.
In case you don’t have an email security person, we can provide some guidance on how you can fix some of the most common issues you’re most likely to encounter.
Fix Email Settings to help Prevent Email Spoofing
DMARC Problems and Email Spoofing
DMARC (pronounced dee-mark) stands for Domain-based Message Authentication, Reporting & Conformance. DMARC adds metadata to your emails so that the sending and receiving email servers can decide if the email is likely SPAM and what to do with the email if it is.
DMARC setup is found in the same place that you set up your DNS records for your website and email. Your DNS provider likely has a guide on what DNS entry to make to turn on DMARC – it will vary from provider to provider. Make sure to set the policy to “None” to start. You do not want important emails to be rejected!
DKIM Problems and Email Spoofing
DKIM stands for DomainKeys Identified Mail. DKIM provides a signature tied to your domain name. This lets other email servers know if the email came from your mail server. Setting up DKIM requires a three step approach.
- Go to your email host and have it generate a DKIM record.
- Go to your DNS provider and enter the DKIM record into your DNS records.
- Go back to your email host and turn authentication on.
SPF and Reverse DNS Problems and Email Spoofing
These thorny email problems have their roots embedded in the infrastructure of your email provider itself. You will probably need help from your email provider or need to use an email gateway in conjunction with your existing email provider to completely close up these vulnerabilities. Some providers make it easier than others.
Fractional CISO uses Google Workspace, and Google doesn’t seem super interested in addressing these problems! This is where third-party email security gateways can become very helpful.
What’s the best way to use EmailSpoofTest?
EmailSpoofTest is a great tool, but it has limited free access. Business domains are allowed only two free tests per month, and support documentation is limited for free users.
If you have an email security specialist, they may be able to fix problems EmailSpoofTest identifies without further help. If you don’t, or if you need more tests, EmailSpoofTest has unlimited monthly and yearly testing plans available.
First you should use the tool to identify where there are flaws in your email configuration. Use existing guides (like this post) to make what corrections you can. If you need more than two tests, EmailSpoofTest has reasonably priced plans.
What other features does EmailSpoofTest have?
EmailSpoofTest has a few other tricks up its sleeve. In addition to the “Basic 10” test available for users to try for free, licensed users have more advanced and tests available to put to work. Licensed users can also create custom spoofing emails or disarmed phishing emails that actually were used for hacking.
Why is Fractional CISO advocating for a commercial tool?
We typically don’t advocate for tools that require payments here on the Fractional CISO blog. Firstly, most cybersecurity tools are very expensive B2B affairs. Secondly, we firmly believe that there is no one size fits all solution for cybersecurity. Tools that might work for one company may not work at all for another.
EmailSpoofTest circumvents this in a few ways. First of all, it’s free to start and inexpensive to continue – just $50 for a month. Secondly, it’s likely to be useful for almost every company. Last we checked, all modern companies have emails and email continues to be the number one avenue for cyber attacks. Finally, there’s nothing else much out there like it. Sure an actual pentesting firm might find flaws in your company’s email security, but they’ll charge you more than $50 for the privilege and won’t give you as focused recommendations.
If your email security settings aren’t right, EmailSpoofTest and a few hours of an email security specialist’s time will get you set for years to come. It’s worth a try to help prevent email spoofing!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.