Domain Spoof Test

Can hackers spoof an email address of your own domain?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.

Now they can launch a "CEO fraud" spear-phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained. Once the bad guys know they can spoof any email address, this is the next thing they do:


Once they have all publicly available email addresses, the fun starts. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. It’s often a surprise how many addresses are actually out there. Now they can send all employees an email supposedly coming from Human Resources, the CEO or perhaps the mail room, and social engineer your users to click on a link. Would you like to know if hackers can spoof your domain?

Sign Up For Your Free Domain Spoof Test

Find out now if your domain can be spoofed. The Domain Spoof Test (DST) is a one-time free service. You can request to get this DST, so you can address any mail server configuration issues that are found. NOTE: Not everyone is qualified for the DST. It is not for individuals, but only for the person in the organization responsible for email security. We need a valid email address from the domain of your own organization, so Gmail, AOL, Yahoo or any other ISP are not accepted.

Download your free Domain Spoof Test here:


Take these Steps if your Domain Spoof Test Shows Failure

If you have failed a Domain Spoof Test, there are a few steps you can take to secure your domain. Primarily you will want to implement and verify SPF.

First, you will want to navigate to the openspf site for the correct instructions on SPF itself:

Once you have implemented SPF you can verify your implementation here:

If you use Exchange, here are instructions on how to delete emails that are spoofed from within your own domain. 

Microsoft added this to Exchange 2003 SP2, but they call it "Sender ID". Here's the blog post where it is introduced:

Here are instructions for configuring Sender ID in various versions of Exchange:

Exchange 2003:

Exchange 2007:

Exchange 2010 & 2013:

Exchange 2013, 2016 & Office 365

Google Apps/GSuite:
About SPF Records:
Enforce IP Lock in GSuite:

How is our data secured on your systems, and do you have your own datacenter or are you in the cloud?

KnowBe4 uses Amazon’s Web Services (AWS) to host our servers and data, they are a fully compliant and ISO certified facility. There is no unauthorized external access to data, we only store just enough information to accomplish the services we are set to provide, which minimally are email addresses with recorded clicks. Email addresses are encrypted, kept private and are not shared or sold to any external organizations.

I’m concerned about the email addresses that I would give you. Are they safe?

For a Free Phishing Security Test, the email addresses will remain in KnowBe4's database for a limited time. This is required to track unique email opens and clicks. For customers of KnowBe4, the Ongoing Phishing Security Tests will need to ‘persist’ email addresses so that we can periodically send simulated phishing attacks to the correct individuals. This will also be used so that you can track which of your users are failing the tests. The addresses will not be used for any purpose other than the security audit, nor will the addresses be given/sold to any third-parties for any purposes. You can archive any email address at any time.